Microsoft shipped a critical security fix on July 14, 2026 that closes a code execution hole in Microsoft Office Word. The vulnerability, tracked as CVE-2026-55055, carries a CVSS 3.1 score of 7.8 and can be exploited simply by opening a booby-trapped document. The patch batch also reaches SharePoint servers that share Office components.
The flaw touches almost every supported Office edition—from per-user Click-to-Run installations and the everlasting Word 2016 MSI package to server-grade SharePoint farms. With attack complexity rated low and no privileges required, the bug is a prime candidate for email phishing campaigns and weaponized document downloads.
The fix packs a stack-based buffer overflow
CVE-2026-55055 is a memory-corruption weakness catalogued as CWE-121, a classic stack-based buffer overflow. When Word parses a specially crafted file, malformed data overwrites the execution stack and can redirect program flow to attacker-controlled code. The malicious payload then runs with whatever permissions the Word process holds.
Microsoft’s CVSS vector lays out the real-world constraints:
* Attack Vector: Local (AV:L) – the vulnerability fires inside the Word process on the target machine, not via an exposed network service.
* Attack Complexity: Low (AC:L) – no rare environmental conditions are needed.
* Privileges Required: None (PR:N) – the attacker doesn’t need an existing account on the system.
* User Interaction: Required (UI:R) – somebody has to open the document.
* Scope: Unchanged (S:U) – the exploited component stays within the same security boundary.
* Impact: High on confidentiality, integrity, and availability – a successful attack can steal data, alter files, or crash the application.
The “local” vector prompts a fair question: why does the advisory title call this remote code execution? The answer sits in the difference between attacker location and exploitation mechanism. An off-site adversary can deliver the malicious document through email, a shared folder, or a website download—hence “remote.” But the actual code execution occurs locally once Word processes the file. The attack is not a self-propagating worm hitting listening services; it needs a user to spring the trap.
Every major Office and SharePoint installation is in scope
Microsoft’s affected-product list for CVE-2026-55055 reads like a roll call of current and recently supported Office deployments:
| Product | Update channel / package |
|---|---|
| Microsoft 365 Apps for enterprise | Click-to-Run, all servicing channels |
| Office 2019 | Perpetual VLSC, retail |
| Office LTSC 2021 | Volume license |
| Office LTSC 2024 | Volume license |
| Word 2016 | MSI-based installations (KB5002890) |
| Office 365 for Mac | Apple Silicon / Intel |
| Office LTSC for Mac 2021, 2024 | Standard and volume license |
| SharePoint Server 2016 | KB5002891, KB5002892 |
| SharePoint Server 2019 | KB5002883, KB5002885 |
| SharePoint Server Subscription Edition | KB5002882 |
For Mac users, the build number that seals the leak is 16.111.26071215 or later. Windows users on Click-to-Run don’t receive a separate KB article; instead, the Office background update mechanism fetches the latest security release for the assigned channel. IT administrators managing on-prem SharePoint farms have additional post-install steps: after running the patch executable, they must complete the SharePoint Products Configuration Wizard on every server in the farm. Some July packages interact with Workflow Manager, so test runs in a staging environment are wise for farms that still lean on legacy workflows.
What the bug means for everyday users and IT teams
The real danger is not the vulnerability on its own—it’s how easily it slots into existing attack playbooks. Phishing campaigns, business email compromise, and waterholing all feed on the fact that people open attachments from senders they think they trust. CVE-2026-55055 removes the need for a second‑stage exploit: once the document loads, the attacker can run commands immediately. If the victim is logged in as a local administrator, the compromise can spread to the entire machine in seconds. Even under a standard user account, the attacker can still exfiltrate documents, install user‑level persistence, or pivot to network resources.
SharePoint administrators face a slightly different risk model. While the vulnerability doesn’t expose a SharePoint web front-end to direct network attack, document‑processing components on the server can be exposed if users upload malicious Word files and a server-side process parses them—for example, during search crawls, document conversion, or certain workflow actions. Applying the SharePoint patches removes that server‑side exposure.
A timeline that mirrors every Patch Tuesday—with extra urgency
Microsoft published CVE-2026-55055 on its regular Patch Tuesday cadence for July 2026. The vulnerability hadn’t been publicly disclosed or seen in active attacks before the fix went live. The advisory came with the same Security Update Guide that covers dozens of other fixes; it could easily get lost in the noise if admins glance only at the “top‑ten” vulnerability lists.
That quiet disclosure is deceptive. The vulnerability’s low attack complexity and high impact make it a sweet spot for post‑patch reverse engineering and weaponization. Within days of any Patch Tuesday, security researchers and malicious actors alike begin diffing the binaries to understand the bug. The window between the update and the first functional proof‑of‑concept can be just hours. For an Office vulnerability that needs only a user to open a file, that window matters.
How to protect your machines right now
For home users and small offices
- Open any Office application (Word, Excel, or Outlook).
- Go to File > Account > Update Options > Update Now.
- Wait for the “You’re up to date!” message and restart the app.
- Verify the version:
File > Account, then look under “About Word.” For Microsoft 365, the build number should match the latest listed in the Office update history. For subscription‑based installs on Mac, open a document, click the app name in the menu bar, and choose “About”—the version must be 16.111.26071215 or higher.
For IT administrators
- Workstations: Push the July security update through your software‑update management tool. For MSI‑based Word 2016, approve KB5002890.
- SharePoint farms: Stage the relevant patch (see table above), install each server one at a time, and run the Configuration Wizard. Verify the build numbers in Central Administration > System Settings > Manage servers in this farm. Keep an eye on the Upgrade and Migration status page for any post‑patch job failures.
- Office 365 tenants: Click‑to‑Run updates should flow automatically according to your update channel policy. If you use a deferral window, consider shortening it for this patch cycle.
Hardening steps that buy you time
Patching is the only complete fix, but these practices shrink the blast radius:
- Enable Protected View: It opens documents from the internet in a sandboxed, read‑only mode. Most Office deployments have this on by default; don’t disable it.
- Use Mark of the Web: Windows attaches a “this file came from the internet” flag to downloaded files; Office honors that flag. Train users not to unblock files that arrive with that warning unless they are absolutely certain of the source.
- Run without admin rights: Standard user accounts can still be compromised, but they limit the attacker’s ability to install persistent malware or wipe system resources.
- Application control: Windows Defender Application Control or AppLocker can prevent untrusted Office documents from launching entirely if your environment can enforce strict rules.
- Email filtering: Attachment sandboxing and blocking of malicious file types at the gateway can catch malicious .doc and .docx files before they land in an inbox.
What comes next
CVE-2026-55055 is a textbook document‑based code execution flaw. Its CVSS vector is local, but the kill chain is remote, delivered through the same channels that keep phishing filters busy every day. Microsoft’s July update package is the only permanent closure. Because no workaround is listed in the advisory, organizations that delay the patch are effectively betting that their perimeter defenses and user awareness training will catch every single weaponized document—and that’s a bet that seldom pays out in the long run.
Security researchers will almost certainly publish detailed technical analysis in the coming days, which will lower the bar for exploitation. Watch for indicators of compromise that involve unusual child processes spawned by winword.exe or unexpected network connections from Office applications. For now, the simplest and strongest defense is to apply the patch, confirm the build numbers, and remind users that even a friend’s forwarded attachment can carry a nasty surprise.