Microsoft shipped a patch on July 14, 2026, for a vulnerability in Microsoft Word that carries a 7.8 CVSS score and a label that has tripped up more than a few security teams: remote code execution. The catch? The actual exploitation happens locally, triggered by nothing more than opening a booby-trapped document.

The disconnect between the official title — “Microsoft Word Remote Code Execution Vulnerability” — and the technical vector (AV:L, or local attack) is more than semantic hair-splitting. It’s a quirk of how Microsoft names flaws and how the CVSS framework scores them, and misunderstanding it can lead to misprioritized patching or a false sense of safety.

Here’s what you, whether an IT admin or a home user, need to understand about CVE-2026-55033, why it’s described the way it is, and how to make sure you’re protected.

An integer overflow that breaks Word’s memory

The vulnerability details are spelled out in Microsoft’s Security Update Guide. It’s an integer overflow or wraparound in Word that results in a heap-based buffer overflow. In plain language: a specially crafted document can trick Word into writing data past the boundary of a memory buffer, corrupting memory in a way that lets an attacker execute their own code.

Microsoft’s own assessment isn’t ambiguous. The CVSS 3.1 vector reads AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Each element tells a story:

  • AV:L: The vulnerable action occurs locally — meaning the malicious code runs on your own machine, not through a network service.
  • AC:L: The complexity is low; once the document is opened, exploitation is straightforward.
  • PR:N: The attacker doesn’t need any prior privileges on your system.
  • UI:R: You, the user, must do something — open the file.
  • S:U: The scope is unchanged, but the three H’s (high impact to confidentiality, integrity, and availability) mean a successful attack can fully compromise your data and system.

So yes, this is a serious flaw. But unlike an unauthenticated, network-facing RCE in a server product (think Exchange or Remote Desktop Services), it does not self-propagate. Someone must find a way to get you to open a poisoned Word document.

Where you’ll find the patches

The July 14 release touches a long list of Office and SharePoint products. On the Office side, affected installs include Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, and Office LTSC 2024. Mac users aren’t spared either: Office for Mac builds earlier than 16.111.26071215 need the update. SharePoint Server 2016, 2019, and Subscription Edition also appear on the list, with SharePoint-specific packages like KB5002882 for Subscription Edition and KB5002892 for the SharePoint Server 2016 Language Pack.

For traditional, non-subscription Office 2016, the fix comes through KB5002890. If you’re on Microsoft 365 Apps, the update will arrive through your configured update channel — typically within a day or two of the release date, assuming you haven’t deferred or paused updates.

Home users running Microsoft 365 subscription versions of Word should see the update automatically through Windows Update or the Microsoft AutoUpdate tool on Mac. Enterprises will want to verify compliance through their usual patch management tools: Microsoft Configuration Manager, Intune, or whatever deployment platform is in use.

The ‘remote’ vs. ‘local’ confusion, explained

If the attack runs locally, why call it remote code execution? Microsoft’s own FAQ within the CVE entry addresses this head-on: “The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”

The mental model is simple. The person who crafted the malicious document can be anywhere in the world. They don’t need an account on your machine, they don’t need to be on your network, and they certainly don’t need to be sitting at your desk. Once you open the file they sent, their code executes on your computer — and from your perspective, the attacker is remote.

CVSS draws the line a bit differently. The AV metric looks strictly at the point where the exploit triggers, not where the attacker first launched their campaign. Since the vulnerable function in Word only fires after the document is opened locally, it’s scored as AV:L. If Word were a network-accessible service that could be compromised without any user interaction, the vector would be AV:N.

Why does this disconnect matter? For one, it can lead organizations to misclassify the threat. Some patch management policies automatically prioritize AV:N vulnerabilities over AV:L ones, even when the real-world risk is identical. Others might be misled into thinking an AV:L rating means the attacker needs physical access — not so. Physical access would be AV:P, a different designation entirely.

A more subtle danger: calling something “remote code execution” without emphasizing the required user interaction can create the mistaken impression that merely installing Word puts you at risk of automated, wormable attack. That’s not the case here. Defenders need to know that social engineering — a phishing email, a malicious link in a chat message, a compromised SharePoint library — is the likely delivery mechanism.

How the attack works in practice

Based on the vulnerability type (heap-based buffer overflow triggered by an integer overflow), the typical attack flow would look something like this:

  1. An attacker crafts a Word document with malformed structural elements or embedded objects that overflow a counter during parsing.
  2. The document is delivered via email attachment, direct message, malicious website download, or uploaded to a shared location.
  3. A victim opens the document. If Office’s Protected View is bypassed or the file is marked as trusted, the malicious payload exploits the buffer overflow and executes attacker-supplied code.
  4. That code runs with the privileges of the current user — typically the logged-in user’s rights. From there, it can download additional malware, steal data, encrypt files for ransom, or move laterally within a network.

Microsoft notes that the Preview Pane in Outlook is not an attack vector for this particular vulnerability, which reduces exposure for those who rely on Outlook’s reading pane but still leaves the door open for standard document-opening scenarios.

What you should do right now

Patching is the only complete fix. All other measures are stopgaps.

  • For home users: Open any Office application, go to File > Account > Update Options > Update Now. On a Mac, use Microsoft AutoUpdate. Restart Office after applying. Do not rely on the fact that you’re “careful about which documents you open” — one slip is all it takes.
  • For enterprise admins: Deploy the July 2026 security updates across all Office installations and SharePoint servers. Check your configuration manager or management console for compliance. If you block macro-enabled documents or untrusted Office files, that can help in the interim, but these controls are not bulletproof against exploitation that doesn’t require macros, like a buffer overflow.
  • For SharePoint admins: Apply the specific SharePoint updates listed for your version. A compromised document library could silently poison many users. Validate that your antivirus and attachment filtering are scanning Office files, and remind users to be suspicious of unexpected document shares.

Beyond patching, review your Office security settings. Enable Protected View for all documents from the internet. Consider Application Guard for Office if you’re on a supported enterprise plan. These are defense-in-depth measures that raise the bar even if a similar vulnerability emerges before the next Patch Tuesday.

The bigger picture: Office as a perennial target

Word and other Office apps have been a favorite target of attackers for decades. The reason is simple: they are ubiquitous in business environments, and users are conditioned to open documents. Unlike some browsers or media players, people do not typically think of a .docx file as “executable,” yet modern document formats can carry complex structures that interact with low-level parsing engines.

This isn’t the first Word vulnerability with a confusing RCE label, and it won’t be the last. In recent years, Microsoft has patched dozens of memory corruption flaws in its Office suite, many of them requiring user interaction. The company’s consistent use of “remote code execution” in titles, regardless of the CVSS attack vector, is a policy decision: it communicates the worst-case outcome clearly and is meant to spur action.

From a security practitioner’s viewpoint, the lesson is to look beyond the label. When you see “RCE” in a Microsoft advisory, read the CVSS vector and the FAQ. Understand whether the vulnerability is wormable or requires social engineering, whether it targets servers or clients, and what the actual exploitation prerequisites are. That way, you can prioritize patches based on your own threat model, not just a three-letter acronym.

What to watch next

Microsoft’s July 2026 updates address CVE-2026-55033, but history suggests similar flaws will surface. Keep an eye on Microsoft’s monthly security release notes, especially for any Office-related entries marked “Exploitation More Likely” in Microsoft’s Exploitability Index. Also watch the National Vulnerability Database for enrichment data that may add further technical detail or proof-of-concept code.

For now, install the patch, warn your users about unsolicited Word documents, and add this CVE to your threat intelligence feeds. The remote-attacker, local-execution paradox may be confusing, but the imperative is clear: don’t wait.