Microsoft released security updates on July 14, 2026, that fix a memory disclosure vulnerability in Microsoft Office and on-premises SharePoint Server. Tracked as CVE-2026-55023, the flaw can be exploited locally by tricking a user into opening a maliciously crafted file, allowing attackers to read information from system memory. Every supported edition of Office for Windows and Mac is affected, along with SharePoint Server 2016, 2019, and Subscription Edition.
The Actual Update: What Microsoft Fixed and Which Versions Need Patching
According to the Microsoft Security Response Center (MSRC), CVE-2026-55023 stems from an out-of-bounds read weakness (CWE-125). In practical terms, a specially crafted document or other input—processed by an affected Office component—could force the software to access and potentially return data stored beyond the buffer it was supposed to use. The flaw carries a CVSS 3.1 base score of 5.5, placing it in the Medium severity band, but the confidentiality impact is rated High, meaning real-world data exposure is possible.
The vulnerability touches a broad product lineup:
- Microsoft 365 Apps for Enterprise (all update channels)
- Office 2016 (32- and 64-bit)
- Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Office for Mac (Microsoft 365, LTSC 2021, and LTSC 2024)
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
Microsoft’s documented fixed build thresholds are the most reliable way to confirm protection:
- Office 2016: version 16.0.5561.1000 or later
- SharePoint Enterprise Server 2016: 16.0.5561.1001 or later (update KB5002891)
- SharePoint Server 2019: 16.0.10417.20175 or later (KB5002883)
- SharePoint Server Subscription Edition: 16.0.19725.20434 or later (KB5002882)
- Office for Mac: 16.111.26071215 or later
For subscription-based Office (Microsoft 365 Apps, Office LTSC 2021/2024) on Windows, Microsoft directs admins to the respective channel-specific builds rather than listing a single magic number. That means you must match your deployment ring—Current Channel, Monthly Enterprise, Semi-Annual Enterprise—with the corresponding KB article and build details in the July 2026 security release documentation.
What CVE-2026-55023 Means for Your Environment
The vulnerability’s attack vector is classified as local (AV:L), requires user interaction (UI:R), and does not need any privileges (PR:N). That threat model hinges on a user opening or interacting with a weaponized file. Because Office documents flow constantly through email, Teams, SharePoint, USB drives, and third-party portals, the attack surface is wide—even if exploitation requires a targeted, non-automated approach.
For home users and small businesses using click-to-run Office: If you have automatic updates enabled, your Microsoft 365 apps should receive the fix within days. You can verify by going to File > Account > Update Options > Update Now in any Office app, then checking the build number. For Mac, open any app’s “About” dialog.
Enterprise IT teams face a bigger challenge. Managed desktops on deferred channels or disconnected from the internet may not get the patch automatically. Intune, Configuration Manager, or third‑party patch management tools should be queried not just for “Office updated successfully” but for the actual build numbers listed above. A simple Windows cumulative update compliance report will miss the Office‑specific fixes entirely.
SharePoint administrators have a separate task: patching the server farm itself. Unlike the desktop Office vulnerability, the presence of CVE-2026-55023 in SharePoint means server-side document processing components could be exploited via user uploads or libraries. Standard farm-patching procedures apply—install the respective SharePoint update (KB5002891, KB5002883, or KB5002882), run the SharePoint Products Configuration Wizard on each server, and remember to patch language packs if they were installed separately. Office Online Server instances also received a July fix and should be updated in tandem.
The Anatomy of an Out‑of‑Bounds Read and Why It Matters
CWE‑125 bugs let software read past the end of a buffer. The data returned can be anything residing in adjacent memory—document contents, passwords, session tokens, pointer values that reveal memory layout, or even remnants of recently processed files. Microsoft has not disclosed precisely what kind of data CVE‑2026‑55023 can expose, but the High confidentiality flag signals that the information could be sensitive. Importantly, there is no integrity or availability impact: an attacker cannot modify files, crash the application, or execute code through this vector alone. That cap is why the CVSS score remains at 5.5, rather than jumping into the critical range.
Because the flaw requires local exploitation, it doesn’t lend itself to internet‑spanning worms or remote drive‑by attacks. The realistic attack path is a targeted email or a document placed in a shared location. Once the user opens it, the malicious payload triggers the out‑of‑bounds read and exfiltrates whatever memory the bug can reach. This could be combined with other vulnerabilities in a multi‑stage attack, but on its own it functions as an information disclosure tool.
As of July 14, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had not seen evidence of exploitation in the wild, and the MSRC advisory does not list public disclosure or active attacks. That doesn’t mean organizations can afford to wait. Attackers often reverse‑engineer patches to create proof‑of‑concept exploits within days, and user‑interaction‑based attacks remain a staple of phishing campaigns.
How We Arrived Here: Context and Patch Priority
July 2026 is not the first time a memory safety bug in Office’s document processing has surfaced. In recent years, Microsoft has patched similar out‑of‑bounds reads and heap overflows across its productivity suite, many of them triggered by malformed graphics, fonts, or legacy binary formats. The July 14 security release bundles CVE-2026-55023 alongside other Office fixes, making it part of Microsoft’s regular “Update Tuesday” cadence.
The true urgency for defenders comes from the intersection of two factors: broad applicability and high confidentiality impact. The affected list runs from 2016-era perpetual Office to the latest subscription desktop apps and three generations of SharePoint Server—environments that often coexist inside the same organization. A quickly patched fleet of Windows 11 clients running Microsoft 365 Apps won’t do much if a legacy SharePoint 2016 farm remains exposed, or if a pool of Mac devices runs unpatched builds.
Your Immediate Action Plan
1. Verify desktop Office builds, not just “update installed.”
- Launch any Office app, go to File > Account.
- Look for the version and build numbers.
- Compare against Microsoft’s fixed thresholds for your product edition and update channel.
- Force an update if the build is lower: File > Account > Update Options > Update Now.
2. Audit patch management for non‑Windows devices.
- Office for Mac auto‑updates via Microsoft AutoUpdate. Open any Office app, click Help > Check for Updates, and ensure build 16.111.26071215 or higher is installed.
- Mobile Office apps (iOS/iPadOS, Android) are not listed as affected; Microsoft’s advisory omits them, but verifying is wise.
3. Patch SharePoint Server farms methodically.
- Download the specific security update for your SharePoint version:
- SharePoint 2016: KB5002891
- SharePoint 2019: KB5002883
- Subscription Edition: KB5002882
- Install on all farm servers, including web front ends and application servers.
- Run the SharePoint Products Configuration Wizard in the correct order.
- Apply corresponding language pack updates if in use.
4. Address Office Online Server.
- The July update cycle also includes a fix for Office Online Server. Install it following standard maintenance procedures to close any server‑side rendering risk.
5. Deploy compensating controls while patching is incomplete.
- Use Microsoft Defender for Office 365 to block attachments that match malicious patterns.
- Enforce Protected View for files from the internet (a default in modern Office, but worth auditing).
- Maintain Mark of the Web on downloads from SharePoint, OneDrive, and external sources.
- Disable automatic opening of attachments in Outlook and other mail clients.
6. Monitor for updates to the CVE record.
- Periodically check the MSRC advisory for CVE-2026-55023 for any change in exploitation status, revised scores, or additional technical details.
Outlook: What’s Next for This Vulnerability
Microsoft has not detailed the specific parsing path or the exact memory contents that can be leaked, but exploit developers will certainly study the patches to isolate the vulnerable code. A working proof of concept, if it emerges, would likely be added to phishing toolkits quickly. Security teams should treat the July 14 updates as the definitive mitigation and push for full deployment within their standard aggressive-patch windows. The High confidentiality impact, combined with an attack surface that spans every Office document a user might open, makes waiting a risky bet—even for a Medium-severity bug with no known active exploits.