Microsoft issued a critical security update on July 14, 2026, for a vulnerability that strikes at the core of how Office handles documents. CVE-2026-47290 is a remote code execution flaw present in every currently supported edition of Office, from Office 2016 through Microsoft 365 Apps. An attacker who convinces a user to open a specially crafted file can run arbitrary code on the victim’s system without any prior access. The bug carries a CVSS 3.1 base score of 7.8, rated High, and demands immediate attention from both home users and enterprise administrators.

The Patch Details

The July 14 security release delivers fixes across the entire Office portfolio. For classic MSI-based installations of Office 2016, Microsoft published KB5002273, which updates the suite to version 16.0.5561.1000. Click-to-Run editions—including Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Office LTSC 2024—receive the fix through their respective update channels. The advisory does not list any bypasses or partial workarounds; the patch is the sole remediation.

Under the hood, the vulnerability stems from a use-after-free memory corruption (CWE-416) in an Office component responsible for processing document contents. When a user opens a poisoned file, a dangling pointer can be exploited to hijack execution flow and launch attacker-controlled code. The exploit operates entirely within the local Office process, which is why the CVSS attack vector (AV) is marked as “Local.” However, the attacker never needs to be physically near the target or even have a user account on the machine. The malicious document can arrive through email, a download link, a shared cloud folder, or a compromised website. Once Office renders it, the exploit fires—no further interaction required.

This distinction often confuses readers. Microsoft clarifies that “Remote” in the vulnerability title refers to the adversary’s location, not the method by which Office is attacked. The CVSS vector—AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H—tells the full story: low attack complexity, no required privileges, but mandatory user interaction (the file must be opened). The high impact ratings for confidentiality, integrity, and availability mean a successful attack can read, alter, or delete data, disable security software, or install persistent malware.

What’s at Stake for Users

For home users, the risk is personal and immediate. Office documents are a staple of everyday computing, and attackers have proven adept at crafting phishing emails that impersonate invoices, resumes, or urgent notifications. An infection could lead to ransomware, banking trojans, or a complete takeover of the PC. Because the vulnerability requires no special privileges, even a limited user account is enough—once code executes, an attacker often chains additional exploits to gain system-level control.

Enterprise administrators face a broader challenge. Office 2016 still runs on millions of business machines, many of which may be locked into older update processes or managed with uneven patch compliance. A single unpatched workstation can become the beachhead for lateral movement across the network. The vulnerability also applies to 64-bit and 32-bit Office versions, so there is no safe architecture. IT teams must reconcile multiple update mechanisms: Windows Server Update Services for MSI installs, Click-to-Run update policies for modern apps, and the Microsoft 365 Apps Admin Center for cloud-managed subscriptions.

For developers who build Office add-ins or applications that process Office documents programmatically (e.g., through the Office Interop or Open XML SDK), the risk is indirect. If a component in your pipeline opens untrusted files, an attacker could exploit the vulnerability on a server or build machine. Ensure that any environment handling documents is patched and that files are scanned before processing.

The Larger Picture

Document-based attacks are as old as Office itself. In the 1990s, macro viruses like Melissa spread via infected Word files. Over the years, Microsoft tightened defenses: Protected View, Application Guard, Attack Surface Reduction rules, and the eventual disabling of VBA macros by default for internet-origin files. Yet, memory-corruption bugs like use-after-free errors remain stubbornly effective because they bypass these layers when a file is simply opened.

CVE-2026-47290 lands in a familiar arc. It was disclosed as part of Microsoft’s regular July Patch Tuesday, suggesting it was responsibly reported. The CVSS score of 7.8—High, but not Critical—reflects the required user interaction. But history shows that patching for such flaws cannot be left to chance. Within days of a bulletin, attackers often reverse-engineer the fix and weaponize proof-of-concept code. Because the attack vector is local only in a technical sense, the barrier to entry is low: a single convincing email is all it takes.

This is not an isolated incident. The Office codebase is vast and touches countless file formats. Use-after-free vulnerabilities have been patched in Office multiple times in recent years, each requiring a similarly urgent response. The July 14 update is a reminder that even with cloud-connected filters and AI-based detection, the most reliable defense remains timely patching.

Your Patching Checklist

Immediate action is straightforward, but the steps differ depending on how Office is installed.

For Home Users and Small Businesses

  1. Check your Office version. Open any Office app, go to File > Account. Under Product Information, you’ll see whether you have a Microsoft 365 subscription, Office 2019, Office 2021, etc.
  2. Apply the update. For Microsoft 365 or Click-to-Run editions, go to File > Account > Update Options > Update Now. For MSI-based Office 2016, run Windows Update or download KB5002273 directly from the Microsoft Update Catalog.
  3. Verify the build. After updating, return to File > Account. The version number should read 16.0.5561.1000 or higher for Office 2016 MSI. Click-to-Run builds will vary; the version date should be on or after July 14, 2026.
  4. Stay suspicious. Even after patching, hesitate before opening unexpected documents. Malware authors will pivot to other bugs; the patch only closes this specific door.

For IT Administrators

Office Edition Update Method Key Identifier
Office 2016 (MSI) Windows Update, WSUS, or manual KB5002273 deployment Version 16.0.5561.1000
Office 2019, LTSC 2021/2024 (volume-licensed Click-to-Run) ConfigMgr, Intune, or group policy–controlled update management Build with July 14, 2026, date stamp
Microsoft 365 Apps Automatic updates from the Office Content Delivery Network (CDN) Version 2307 or later, depending on channel
Office 2016 (Click-to-Run) Same as Microsoft 365 Apps Build with July 14, 2026, date stamp
  • Deploy the patches. Use your existing software distribution tools. For environments with strict change control, treat this as an emergency out-of-band change—the fix is a standard security update, but the risk warrants a rapid rollout.
  • Monitor compliance. In Microsoft Intune, check the Office update reports under Apps > Monitor > Office updates. For Configuration Manager, ensure the software update group for July 2026 Office patches is deployed to all collections containing Office clients.
  • Reinforce defenses. Although patching is the primary mitigation, you can further reduce risk by enforcing Protected View for all internet-origin files, enabling ASR rule “Block all Office applications from creating child processes,” and ensuring Microsoft Defender for Office 365 is scanning attachments and links in real time.

No workarounds exist that eliminate the vulnerability without the patch. Disabling document opening entirely is impractical. Apply the July 14 updates and verify success.

The Road Ahead

Expect exploit code to surface quickly. Security researchers routinely publish analyses of patched vulnerabilities, and criminal groups adapt that research into functional attacks. Phishing campaigns are the most likely delivery mechanism, so employee awareness training is a vital complementary measure. Microsoft will likely include this CVE in future hardening initiatives, but for now, the onus is on users and admins to close the hole.

This episode reinforces a simple truth: the document is still the digital weapon of choice. Patching is the shield, but skepticism is the sensor. Update Office today, and when that strange invoice arrives tomorrow, think twice before you click.