Microsoft on July 14, 2026 released its monthly security rollup for Office, addressing a critical vulnerability that could let attackers run malicious code on your PC simply by tricking you into opening a weaponized document. The flaw, tracked as CVE-2026-55017, scores a 7.8 on the CVSS severity scale and affects every supported Office version—from Office 2016 to the latest Microsoft 365 subscription.

What exactly did Microsoft fix?

CVE-2026-55017 is a heap-based buffer overflow in the way Office parses files. When the application opens a specially crafted document, it can write beyond the memory buffer allocated for that operation, corrupting adjacent memory and potentially redirecting execution to code controlled by an attacker. In plain terms: a malicious Word, Excel, or PowerPoint file could hijack your Office program and run any command the attacker wants, with the same permissions as your logged-in user account.

Microsoft’s advisory describes the outcome as remote code execution (RCE), but the CVSS vector tells a more nuanced story. The attack vector is listed as “Local” (AV:L), which has prompted confusion. Microsoft explains that “remote” refers to the attacker’s location—they can send the file from anywhere—while the exploitation itself occurs locally on the victim’s machine when the file is opened. The CVSS vector also notes that user interaction is required (UI:R), meaning the attack isn’t a zero-click worm; someone must be persuaded to open the malicious document.

The full CVSS 3.1 string—AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H—indicates that the attack complexity is low, no privileges are needed, but a user must take action. Once triggered, the impact to confidentiality, integrity, and availability is high. That makes it a classic document-based attack scenario: an email with an attachment, a link to a file on a shared drive, or a download from a compromised website.

Affected products span the entire Office portfolio:
- Microsoft 365 Apps for Enterprise (all channels)
- Office 2016 (MSI and Click-to-Run, though patching methods differ)
- Office 2019
- Office LTSC 2021
- Office LTSC 2024
Both 32-bit and 64-bit installations are vulnerable.

For administrators, the fix isn't one-size-fits-all. MSI-based Office 2016 installations require specific component updates, notably KB5002273 for the Visual Basic for Applications runtime, and additional patches for Excel, Word, PowerPoint, and shared components. Click-to-Run installations—which include Microsoft 365 Apps, Office 2016 Click-to-Run, and the newer perpetual releases—receive the fix through the standard update channel mechanism. Microsoft’s July 2026 Office update index lists all the relevant packages; misapplying the wrong type can leave systems exposed.

What it means for you

If you’re a home or small business user:
- The risk is real but requires you to open a malicious file. That means the usual advice applies: don’t open attachments from unknown senders, be wary of unexpected documents even from known contacts, and keep Office updated.
- Updating is straightforward: open any Office application, go to File > Account > Update Options > Update Now. For Click-to-Run, this pulls the latest security build. If you’re still running Office 2016 MSI—common on older perpetual licenses—you’ll need to install the update through Windows Update (make sure “Give me updates for other Microsoft products” is enabled) or download the packages manually from the Microsoft Update Catalog.
- Even after patching, keep Protected View enabled, don’t blindly trust documents from the internet, and consider using Microsoft Defender’s Attack Surface Reduction rules if you’re on a supported Windows edition.

For IT administrators:
- This is a critical patch for all Office versions in your environment. Because the vulnerability requires user interaction, it doesn’t pose the same immediate network-spread risk as a worm, but it’s a high-value target for phishing campaigns and targeted attacks. No privileges are needed to trigger it, so even a restricted user opening a weaponized document could compromise their workstation.
- Your immediate task: verify the Office installation type and channel on every endpoint. Click-to-Run devices on Current Channel likely already received the update automatically, but Deferred Channel, Monthly Enterprise Channel, or Semi-Annual Channel configurations may be lagging. Check the build numbers against the July 2026 security release baseline.
- For Office 2016 MSI, KB5002273 is mandatory, but it patches only the VBA component; you’ll also need the cumulative updates for the other Office components (Excel, Word, etc.). Microsoft’s update history page lists them; apply them all, as the vulnerability could be triggered through multiple file formats.
- Monitoring is crucial: after deployment, watch for suspicious Office child processes (e.g., Word spawning PowerShell or cmd.exe) and scan for documents with unusual origins. Attack surface reduction rules like “Block executable content from email client and webmail” and “Block Office applications from creating child processes” can add an extra layer, but they are not a substitute for patching.
- As of July 15, 2026, CISA reported no known exploitation, but that can change quickly once exploit details become public. Patch now.

How we got here

Office document-based remote code execution flaws are a well-worn path for attackers. The suite’s complex file parsers, legacy macro engines, and extensive backward compatibility create a large attack surface. Heap overflows, in particular, stem from memory mismanagement in code written in languages like C++, which Office heavily relies on. When an application allocates a chunk of heap memory and then writes more data than that chunk can hold, it tramples adjacent memory. Skilled attackers can shape that corruption to hijack the program’s control flow and execute arbitrary code.

CVE-2026-55017 is the latest in a long line of such vulnerabilities. Microsoft’s July 2026 Office update addressed multiple CVEs; this one stood out for its high severity and broad scope. While the company’s advisory doesn’t go into deep technical analysis—it never does for active vulnerabilities—the CVSS metrics suggest a bug that is both easy to reach (low attack complexity) and does not require elevated preparation. The fact that it’s a heap overflow with high impact on all three CIA pillars indicates a serious memory corruption that likely offers an attacker the ability to gain code execution with high reliability.

Historically, patches like this are released after a researcher or internal team discovers the flaw. Microsoft does not say whether it was reported through a bug bounty or found internally, and that’s typical. What matters is that the fix is out.

What to do now

  1. Patch immediately. For home users, manually trigger an update check in any Office app. For IT admins, push the July 2026 security updates through WSUS, ConfigMgr, or Intune.
  2. Verify patch status. Don’t assume that updating Windows updates Office. For Click-to-Run, check the version number of an Office app (e.g., winword.exe). The build should be at least the one listed in Microsoft’s security release notes for July 2026. For MSI Office 2016, look for KB5002273 and the other component updates in the installed update list.
  3. Reinforce document security. Ensure that macros are disabled, Protected View is enabled, Mark of the Web is honored, and that attachment filtering on email gateways is active. These measures complicate an attacker’s ability to deliver the malicious document, but they don’t prevent exploitation if the file reaches the user and is opened.
  4. Enable advanced defenses. If you run Microsoft Defender for Endpoint, turn on attack surface reduction rules like “Block all Office applications from creating child processes” in audit mode first to avoid business disruption. Enable cloud-delivered protection and automatic sample submission to help Defender block weaponized documents even before the patch is applied.
  5. Educate users. Remind your colleagues that opening documents from unknown sources remains the number one infection vector. Even with the patch, a future unknown vulnerability will arrive. Skepticism of unsolicited documents is a lasting defense.

Outlook

No exploit code has surfaced publicly, but history teaches that reverse-engineering a Microsoft security update can produce a working exploit within days or weeks. Organizations that defer updates are gambling that attackers won’t target them. The patch’s complexity—multiple installers, two servicing models—adds friction that could leave gaps. Attackers typically test their exploits against common configurations; any unpatched Office 2016 MSI system is a sitting duck.

Microsoft will almost certainly fold this fix into the following month’s cumulative updates, but waiting is needless risk. Admins should also keep an eye on CISA’s Known Exploited Vulnerabilities catalog; if CVE-2026-55017 gets added, that’s a signal that active attacks are in the wild.

For everyday users, the story is a familiar reminder: keep the update engine running, and don’t click that sketchy attachment. For the IT crowd, it’s time to earn your keep—audit those Office installs and get patching.