On July 14, 2026, Microsoft released a security update for a vulnerability in Word that could allow an attacker to read confidential information from a victim’s computer. The patch is straightforward, but the accompanying advisory page includes a jarring error: a prewritten FAQ about remote code execution that contradicts the vulnerability’s actual classification as an information disclosure flaw. Administrators and users who rely on the advisory’s plain-language explanation could misjudge the risk—or incorrectly assume they need to prioritize defenses against code execution.
The real story, buried in the structured CVE data, is that CVE-2026-55124 is an information disclosure bug. Microsoft assigned it a CVSS 3.1 base score of 5.5, categorizing it as “Important.” The National Vulnerability Database lists it as Medium, pending its own analysis. Exploitation requires an attacker to trick a user into opening a specially crafted document, after which sensitive data might be exposed. No one has publicly reported active attacks, and Microsoft says the flaw was not disclosed before the patch.
The Bug: Information Disclosure, Not Remote Code Execution
The CVSS vector for CVE-2026-55124 tells a clear story: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. Every element points to a local, user-interaction-dependent attack that compromises confidentiality only. There is no impact on integrity or availability. In plain English, a successful exploit lets an outsider read something they shouldn’t—nothing more.
Microsoft’s own CVE description confirms the scope: “improper validation of a specified type of input in Microsoft Office Word allows an unauthorized attacker to disclose information locally.” The weakness classifications—CWE-20 (Improper Input Validation) and CWE-1287 (Improper Validation of Specified Type of Input)—are hallmarks of a parsing bug that can leak data, not one that executes arbitrary commands.
So why does the advisory suggest otherwise? Scroll to the bottom of Microsoft’s Security Update Guide page for CVE-2026-55124, and you’ll find this question: “According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?” The answer explains that “Remote” in the title refers to the attacker’s location, and that the attack itself is carried out locally. That distinction is common for Office vulnerabilities where a malicious document is emailed or shared, but Word opens it locally. For many Word RCEs, that note is helpful. For CVE-2026-55124, it’s completely out of place—the title explicitly says “Information Disclosure Vulnerability,” not remote code execution.
The most likely explanation is a copy-paste error. Microsoft vulnerability pages often include standardized FAQs. It appears a boilerplate answer meant for a genuine RCE was mistakenly retained here. Until Microsoft corrects the record, treat the structured CVE data—not the FAQ—as authoritative.
What’s Affected: A Long List of Office and SharePoint Versions
The patch closes the hole across a broad swath of Office products. Affected releases include:
- Microsoft 365 Apps for Enterprise
- Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Microsoft 365 for Mac
- Office LTSC for Mac 2021
- Office LTSC for Mac 2024
Server-side products that rely on Word components are also vulnerable:
- SharePoint Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
Microsoft’s July 2026 Office update documentation includes the fix. For Office 2016, the specific Word security update is KB5002890. SharePoint administrators should target these packages:
| Product | KB / Build |
|---|---|
| SharePoint Server Subscription Edition | KB5002882 (build 16.0.19725.20434) |
| SharePoint Server 2019 | build 16.0.10417.20175 |
| SharePoint Server 2016 | build 16.0.5561.1001 |
| SharePoint Server 2016 Language Pack | KB5002892 |
The corrected Mac release is version 16.111.26071215. Home users running Microsoft 365 subscriptions generally receive the patch automatically through their update channel. Volume-licensed MSI-based installations and on-premises SharePoint farms require manual approval and deployment.
A Brief History of Word Info-Disclosure Vulnerabilities
Information disclosure bugs in Office are not new. Word, Excel, and other document-format parsers have a history of leaking memory contents, file paths, or even hashed credentials when coaxed into mishandling malformed input. In 2024, CVE-2024-30104 exposed Outlook NTLM hashes; earlier Word flaws have disclosed heap memory or encryption keys.
CVE-2026-55124 follows that pattern. The precise data at risk isn’t detailed in the public advisory, but the “High” confidentiality rating means the impact is more than trivial metadata exposure. Possible scenarios include revealing the content of other open documents, session tokens, or internal memory structures that could aid further attacks. That’s why an “Information Disclosure” label should never be dismissed as low priority—it can be a stepping stone in a multi-stage intrusion.
How to Patch CVE-2026-55124 Right Now
For most Windows users: If you’re on Microsoft 365, ensure automatic updates are enabled in Word (File > Account > Update Options > Enable Updates). The fix was included in the July 14 release train. To verify, check your Office version number matches the patched channel release. A quick restart of all Office apps completes the installation.
For IT administrators: Download and deploy the July 2026 Office security updates appropriate for your environment. Key KBs are listed above. Prioritize SharePoint servers—they often lag behind desktop clients in patching cadences, yet they can serve as document delivery platforms. After applying updates on SharePoint, run the SharePoint Products Configuration Wizard if required by the patch instructions.
Additional mitigation measures remain useful, especially if patching must be delayed:
- Block unexpected Word attachments at email gateways.
- Configure attack surface reduction rules to block Office apps from creating child processes or launching executable content.
- Remind users not to open documents from untrusted sources, even if they appear to come from known contacts (since attackers often spoof senders).
- For SharePoint, restrict document uploads from unauthenticated users and audit download activity for unusual access patterns.
The Takeaway: Patch Promptly, Verify Advisory Details
CVE-2026-55124 is not a five-alarm emergency—there’s no known exploitation, and user interaction is required. But its High confidentiality impact means the data exposure could be significant. Patching eliminates the risk entirely.
The advisory glitch is a reminder to always cross-check multiple data sources: the CVE record itself, the CVSS vector, and independent analyses (like this one). Don’t let a stray FAQ answer steer your risk assessment. If Microsoft cleans up the page, great; if not, the facts have not changed: it’s an information disclosure vulnerability, addressed by updates released July 14, 2026. Apply the patch and move on.