Microsoft on July 14, 2026, released security updates for a critical remote code execution vulnerability in Word—CVE-2026-55127—that can be triggered when a user merely previews a malicious document in the Windows Preview Pane. The heap-based buffer overflow, rated 7.8 on the CVSS scale, affects nearly every currently supported edition of Office on Windows and Mac, plus several on-premises SharePoint servers. The fix came as part of the July Patch Tuesday cycle, and while Microsoft says it has seen no active exploitation, the unusual attack vector—Preview Pane—makes this a vulnerability worth patching immediately.
The Bug: A Heap Overflow That Bypasses ‘Don’t Click’ Advice
CVE-2026-55127 is a heap-based buffer overflow (CWE-122) in Microsoft Office Word. When Word processes a malformed document, it can write data beyond the intended area of heap memory, creating a path to arbitrary code execution in the security context of the user who encountered the file. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H—low attack complexity, no privileges required, mandatory user interaction, and potentially high impact across confidentiality, integrity, and availability.
That “mandatory user interaction” is the twist that makes this bug especially concerning. Traditional advice for avoiding document-based attacks is simple: don’t open attachments from unknown senders. CVE-2026-55127 lowers the bar. Microsoft’s advisory, as first reported by BleepingComputer and Action1, identifies the Preview Pane as an attack vector. That means merely selecting a file in File Explorer—without double-clicking to open it—can trigger the vulnerability if the preview handler processes the document.
This isn’t a true “zero-click” scenario; the user still needs to encounter or select the file in a context that activates the preview. But the difference between intentionally opening a document and simply navigating a folder full of files is meaningful. An attacker could email a weaponized .docx, upload it to a shared SharePoint library, or drop it into a Teams chat, banking on a victim single-clicking the file name. Security training that says “just don’t double-click attachments” would offer no protection here.
Who Is Affected—and It’s a Long List
The vulnerability reaches across Microsoft’s Office ecosystem. Affected products include:
- Microsoft 365 Apps for Enterprise (32-bit and 64-bit on Windows)
- Microsoft Office 2019 (Windows)
- Office LTSC 2021 and 2024 (Windows)
- Microsoft Word 2016 (x86 and x64)
- Microsoft Office for Mac (Microsoft 365 and Office LTSC 2021/2024)
- SharePoint Server 2016, 2019, and Subscription Edition (on-premises)
Mac users need Office version 16.111.26071215 or later. For Word 2016 on Windows, the fix arrives in KB5002890, which pushes Word to build 16.0.5561.1000. That update replaces KB5002879 and is available through Microsoft Update, the Update Catalog, and the Download Center. But KB5002890 is not a dedicated one-CVE patch—it bundles fixes for multiple Word remote code execution and information-disclosure vulnerabilities disclosed in July. So don’t be alarmed if your vulnerability scanner lists more than just CVE-2026-55127 after deployment.
SharePoint servers get their own packages: KB5002891 (SharePoint 2016, build 16.0.5561.1001), KB5002883 (SharePoint 2019, build 16.0.10417.20175), and KB5002882 (SharePoint Subscription Edition, build 16.0.19725.20434). Office Online Server also received KB5002884, though it’s not separately named in the CVE record. If you run any of these on-premises, understand that patching your users’ PCs alone does not protect the server-side document processing components.
What the Patch Changes for Home Users and IT Admins
For everyday Windows and Mac users, the message is simple: install the latest Office updates. If you use Microsoft 365 (the subscription version formerly called Office 365), check that your automatic updates are functioning and that you’re on a build released after July 14. On Windows, open Word, go to File > Account > Update Options > Update Now. On a Mac, open any Office app, click Help > Check for Updates.
For IT administrators who manage fleets of devices, the task is more nuanced.
- Microsoft 365 Apps (Click-to-Run) : These devices don’t receive KB5002890. Instead, they update through servicing channels. Confirm that your update rings or deployment tools have approved the July 2026 security release for the appropriate channel. A device on the Monthly Enterprise Channel, for example, needs the build released for that channel in July, not a build from an older insider ring.
- Office 2019 and LTSC (Volume License) : Determine whether installations are Click-to-Run or MSI-based. For Click-to-Run, the same channel-matching rule applies. For MSI-based installations, you’ll deploy the update package (e.g., KB5002890 for Word 2016) and then verify the file version of winword.exe to confirm it’s at least 16.0.5561.1000.
- Mac Admin : Use your MDM or update management tool to ensure Office for Mac reaches version 16.111.26071215 or higher. Microsoft AutoUpdate (MAU) should handle this if allowed.
- SharePoint Admins : Plan a farm-wide update. Test the relevant KB in a staging environment first, back up your farm, install the fix on every server that needs it, and run the SharePoint Products Configuration Wizard where required. Checking that a package shows as “Installed” in Programs and Features isn’t enough; you must complete the post-install configuration steps.
Security teams should also consider temporary mitigation if patches can’t be deployed immediately. Disabling the Preview Pane in File Explorer (View > Preview Pane or toggle with Alt+P) and in Outlook (View > Reading Pane > Off) can reduce exposure. However, these are band-aids. The only real fix is the update.
How We Got Here: A Heap Overflow in a Trusted App
Heap-based buffer overflows in Office are not new, but their recurrence in widely deployed software keeps security teams on edge. When a program like Word processes a file, it allocates memory on the heap for objects like fonts, styles, or embedded elements. If an attacker crafts a document that tricks Word into writing past the allocated buffer, they can overwrite adjacent memory and hijack program execution.
CVE-2026-55127 is CWE-122, a heap overflow, and its CVSS vector rates it “local” only because the vulnerable processing happens on the user’s machine. That label often confuses. A local vector does not mean an attacker needs a seat at your desk. They can deliver the malicious file over email, a shared link, or a cloud storage sync, and the damage occurs when Word—or its preview handler—touches the file.
Microsoft acknowledged the bug, assigned the severity, and patched it all in one cycle. The company is the CVE Numbering Authority, so the existence of the vulnerability is confirmed. However, as of July 14, Microsoft had not seen public disclosure or active exploitation, and its own exploitability assessment judged exploitation “less likely.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) echoed that view, noting no known exploitation and that the flaw is not readily automatable, though it could have total technical impact if exploited.
Despite the low immediate risk rating, memory-corruption bugs in Word are too valuable for attackers to ignore. Document-based attacks are a staple of espionage and ransomware campaigns because .docx files are trusted, familiar, and often excluded from aggressive filtering. A proof-of-concept could appear at any time, and once it does, the patch gap becomes a liability.
What to Do Now: Verify Your Patch Status
The most important metric is not the CVSS score but whether every vulnerable component in your environment has actually received the July update. Start with these checks:
- For end-user Word installations – Open Word, click File > Account. Under “About Word,” note the version number. For Click-to-Run Microsoft 365 Apps, the build number should be in the range released after July 14. For Word 2016, build 16.0.5561.1000 or higher means you’re safe.
- For SharePoint servers – Use the
Get-SPProductPowerShell cmdlet to confirm the farm’s build number, or check Central Administration > System Settings > Manage servers in this farm. Match the build to the thresholds above. - For vulnerability scanners – Don’t simply search for the specific KB number, especially across mixed Click-to-Run and MSI estates. Instead, scan for the file version of
winword.exeor verify that the cumulative Office security update for July 2026 is installed. - For security monitoring – While no exploitation has been detected, your SOC can watch for Word spawning unusual child processes (e.g., cmd.exe, powershell.exe, or wscript.exe) or writing executables to user-writable directories. These patterns are common to many document-based RCE chains and merit investigation.
If you manage a network that blocks automatic updates, immediately schedule a maintenance window to approve and deploy the patches. Every day without the fix is a day an attacker could craft an exploit and deliver it through a channel your existing email filters might not catch.
Outlook: More Than Just Another Word Patch
CVE-2026-55127 is notable not because it’s a zero-day—it isn’t—but because it exposes a seam in most organizations’ security armor. The Preview Pane attack vector turns a passive action (clicking a file icon) into a potential security event, which undercuts years of user training that focuses on “don’t open attachments.”
Microsoft’s early assessment suggests the threat is modest, but the window between a patch’s release and the availability of a working exploit is unpredictable. This vulnerability’s broad reach—spanning desktop Word, Mac, and server-side SharePoint—makes it a classic “patch now, verify later” case. The next milestone isn’t a revised score from the National Vulnerability Database; it’s whether your organization can show that every system that processes Word content has been updated before someone writes a weaponized document that targets this specific buffer overflow.