Microsoft shipped its July 2026 security updates on the 14th, remediating a memory-corruption oversight in Word that can spill sensitive information when a user opens a specially crafted document. Tracked as CVE-2026-55142 and rated Important, the vulnerability stems from a numeric truncation error – essentially a miscalculation in how Word handles certain values hidden inside a file.
The Patch Details
The update closes a hole that Microsoft’s Security Response Center (MSRC) says an attacker can exploit locally to disclose confidential data. No prior privileges are required, and while the attack complexity is low, the flaw demands user interaction – meaning a victim must be tricked into opening a booby-trapped Word file.
The CVSS 3.1 base score sits at 5.5, with the vector string indicating a high impact on confidentiality but zero effect on integrity or availability. In plain terms: a successful attack won’t corrupt your files or crash Word, but it can lift data that should never have been visible.
Microsoft has not spelled out the exact interaction needed to trigger the bug, nor has it disclosed what kind of information emerges. The advisory only confirms the root cause is CWE-197 (Numeric Truncation Error) and that the impact is limited to information disclosure.
Who’s Affected – and How
The vulnerable footprint extends beyond the desktop Word you launch from the Start menu. The following products need the July 2026 patches:
- Microsoft 365 Apps for enterprise – both 32‑bit and 64‑bit editions on Windows. Most installations will receive the fix automatically through their assigned update channel.
- Microsoft Office 2019, Office LTSC 2021, and Office LTSC 2024 – all on Windows.
- Microsoft 365 for Mac – versions prior to 16.111.26071215 are vulnerable.
- Microsoft Word 2016 – the standalone perpetual version; security update KB5002890 takes it to build 16.0.5561.1000 or later.
- SharePoint Enterprise Server 2016 – patched by KB5002891 (build 16.0.5561.1001).
- SharePoint Server 2019 – requires KB5002883 (build 16.0.10417.20175).
- SharePoint Server Subscription Edition – fixed with KB5002882 (build 16.0.19725.20434).
The SharePoint entries are critical for enterprise defenders. Even if every laptop running Microsoft 365 Apps has auto-updated, a vulnerable SharePoint Server can still expose users. Organizations must patch server farms separately, following the same discipline they apply to OS and Exchange updates.
Why This Flaw Matters Despite the Local Limitation
A CVSS score of 5.5 can sound modest, but the “local” designation shouldn’t lull anyone into complacency. The attack vector hinges on user interaction, and Word documents remain the lifeblood of phishing campaigns. Invoices, résumés, legal notices, and internal memos – attackers have long exploited that trust to persuade targets to open malicious files. Once the document is loaded, the numeric truncation error might expose document contents, process memory, or other secrets that can fuel subsequent breaches.
Microsoft hasn’t said whether the leaked data could include credentials or entire document bodies. Yet information-disclosure vulnerabilities of this type often give adversaries the reconnaissance they need to refine a targeted attack. Even a small data trail can map internal systems or reveal technical details that help bypass other defenses.
Crucially, the flaw is not a remote code execution; it doesn’t let attackers install malware. But because the attack requires no privileges and complexity is low, it’s an attractive option for initial access. A phishing email with a weaponized DOCX attachment is all it takes.
The Root Cause: Numeric Truncation Errors in Document Parsing
CWE-197 covers cases where a program converts or stores a number in a smaller representation and loses significant bits along the way. In a document parser like Word’s, this can happen when processing a malformed file structure – say, an incorrect size field, an offset, or a count that gets truncated to a wrong value. The parser then operates on that incorrect value, potentially reading memory it shouldn’t or returning data that should be hidden.
Microsoft has not released a technical root-cause analysis or proof-of-concept code. The community often reverse‑engineers these patches through binary diffing, a process that compares the patched and unpatched versions to locate the fix point. Once that happens, more detailed public analysis is likely – and attackers will study it too. For now, the credible technical depth stops at what Microsoft has confirmed in the CVE record.
What to Do Right Now
There is no workaround that replaces installing the patch. Microsoft’s advisory omits any mitigation that blocks the underlying numeric error. So, the action plan is straightforward but requires precision:
- Identify all affected installations. Inventory your desktop Office versions, update channels, Mac licenses, and SharePoint servers. Don’t assume that “Microsoft 365 Apps” only means the subscription product – Word 2016 and perpetual Office releases need explicit checks.
- Deploy the July 14, 2026 security updates. For Microsoft 365 Apps, verify that the update channel has pulled the latest build. For volume‑licensed perpetual products, push the patches via your standard tool (WSUS, Configuration Manager, Intune, etc.). Mac admins can validate that Microsoft 365 for Mac is at least 16.111.26071215.
- Patch SharePoint Server. Install the specific KB packages on every server in the farm and run any prescribed post‑update configuration steps (PSConfig, etc.). Note that language packs and other Office server components may have separate updates.
- Validate remediation. Spot-check Word build numbers on endpoints and confirm SharePoint version numbers in Central Administration or via PowerShell. Relying on “automatic updates” isn’t enough; offline devices, paused rings, or expired channels can leave gaps.
Secondary layers like Protected View, attachment scanning, and user awareness training remain important, but they only reduce exposure – they don’t fix the truncation bug. Treat this patch the way you treat any security update for a critical productivity application: test quickly and roll out aggressively.
What Comes Next
The July release arrived without reports of active exploitation, and CISA’s initial assessment listed no known in‑the‑wild use. But that can change quickly. As researchers dissect the binaries, the road from “vendor-confirmed” to “publicly exploited” could shorten. Microsoft’s own confidence rating for the CVE sits firmly in the “confirmed” stage, meaning the company has fully acknowledged the bug and shipped a correction.
Keep an eye on the MSRC advisory for any updates, and monitor your security feeds for technical write‑ups that appear after Patch Tuesday. If your organization runs Word 2016 or SharePoint Server on the same patch timeline as last month’s, verify that the July packages haven’t been superseded before you deploy. For everyone else, the measure of safety is the build number on your Word splash screen – check it now.