Microsoft shipped its July 2026 security updates on Tuesday, and among them is a patch for CVE-2026-55045, a flaw in Microsoft Office that has already raised eyebrows among security teams. The vulnerability carries a CVSS base score of 8.4, putting it firmly in the 'High' severity category, but the advisory’s language has left many asking: why does the title call it a remote code execution (RCE) bug when the CVSS vector declares the attack is local? The answer lies in how Microsoft and the CVSS standard define their terms—and the patch is urgent regardless.
The Flaw: An Out-of-Bounds Read With Far-Reaching Impact
Microsoft's advisory describes CVE-2026-55045 as a remote code execution vulnerability arising from an out-of-bounds read (CWE-125) in Microsoft Office. An attacker who successfully exploits this weakness can execute arbitrary code on the target system. According to the Common Vulnerability Scoring System (CVSS) 3.1 assessment, the vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
That string breaks down to an obviously dangerous scenario: the attack complexity is low, no privileges are required, and no user interaction is needed. The impact on confidentiality, integrity, and availability is rated high across all three categories. Yet the "AV:L"—local attack vector—has caused some confusion. The vulnerability was published in Microsoft's July 14, 2026 security release, and the National Vulnerability Database (NVD) noted it had not yet completed its own enrichment at the time. The Cybersecurity and Infrastructure Security Agency (CISA) assigned it a technical impact of "total" but reported no known exploitation.
Unpacking the AV:L Paradox
The confusion between the advisory title and the CVSS vector stems from a collision of terminology. Microsoft labels the vulnerability "remote code execution" because the attacker can commandeer a system from a remote location—the attacker does not need physical access to the keyboard. This is a common scenario: the victim receives a malicious document via email or a SharePoint library, and when Office processes it, the code runs.
The CVSS standard, governed by the Forum of Incident Response and Security Teams (FIRST), scores the attack vector based on how the vulnerable component is reached. Since Office isn't a network service listening on a port, the vector is "local": the malicious code must be executed or the file must be opened on the target machine. FIRST explicitly notes in its CVSS v3.1 specification that "local" does not mean the attacker must be sitting at the console; it can include cases where the attacker delivers a file remotely but the action triggering the flaw occurs locally. As Microsoft's own FAQ for this CVE puts it, "The word Remote in the title refers to the location of the attacker."
Who Needs to Act: The Full Product List
The affected-product record is broad, covering both desktop Office and server-side SharePoint. All the following require the July 14, 2026 security update:
- Microsoft 365 Apps for enterprise (Windows)
- Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024 (Windows)
- Microsoft 365 and Office LTSC for Mac (builds below 16.111.26071215)
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
Microsoft has published specific fixes for each. For SharePoint Server Subscription Edition, the update is KB5002882, which brings the farm to build 16.0.19725.20434. Administrators must first install KB5002799 if using SharePoint Workflow Manager; those on the Classic Workflow Manager must set a server debug flag to keep the service operational after patching. SharePoint Server 2016 moves to build 16.0.5561.1001 with its cumulative update. For MSI-based Office 2016, the fix is KB5002273, which bumps the version to 16.0.5561.1001 or higher.
Practical Impact for Every Audience
End Users
If you're using Microsoft 365 or a recent Office version, the patch is likely already on its way via automatic updates. But don’t wait—check manually. In any Office app, go to File > Account > Update Options, and click "Update Now." For Mac, open any Office app, go to Help > Check for Updates, and make sure you’re on version 16.111.26071215 or later.
The CVSS rating of UI:N (no user interaction required) is the detail that should worry you most. It suggests that merely previewing a file, having a background process like Search Indexer touch it, or even loading a document into a preview pane in SharePoint could trigger the bug. You cannot rely on being cautious—install the patch immediately.
IT Administrators
This vulnerability demands urgent attention. The low attack complexity and lack of privilege requirements make it an attractive target for email-based campaigns and malicious library items in SharePoint. Here’s your action list:
- Deploy the Office updates forcefully. For Windows clients, use WSUS, Configuration Manager, or Intune to push the latest Click-to-Run builds or the specific MSI updates. Verify after deployment: for Click-to-Run, check that the build date is July 14, 2026 or later (the exact version will vary by channel). For Office 2016 MSI, open any Office program, click File > Account, then “About Program” to see the build; it must be 16.0.5561.1001 or higher.
- Patch SharePoint servers. The server-side flaw has the same severity. For SharePoint Subscription Edition, install KB5002799 first (if using Workflow Manager), then KB5002882. For SharePoint 2016, apply the July cumulative update. Validate the build number in Central Administration.
- Don’t count on user awareness. With UI:N, traditional advice like “don’t open suspicious attachments” is insufficient. Assume that unpatched systems are vulnerable to drive-by attacks if the document can be processed.
- Layer your defenses while patching. Use Protected View, Application Guard, or advanced email filtering to reduce the chance of malicious files landing. But these are mitigations, not substitutes for the patch.
Developers
No public proof of concept exists yet, but the CWE-125 class points to a memory safety error, likely in a file parser. It’s a reminder of the persistent risk of parsing untrusted content in C/C++ code. If your organization develops software that integrates with Office or handles Office documents, review your own document processing pipelines for similar vulnerabilities.
How We Got Here: A Brief History of Confusing Scores
This isn’t the first time an Office vulnerability carried the AV:L tag while being called RCE. Many infamous Word and Excel bugs from the past decade used similar vectors: malicious documents delivered via email, executed locally, but orchestrated by remote attackers. The CVSS scoring system intentionally separates “where the attacker sits” from “how the flaw is exploited.” This design choice often leads to misunderstandings, especially when the media or even security teams glance only at the attack vector.
The AV:L label has, in some organizations, meant a slower patch response—a critical mistake. The overall CVSS score of 8.4 stems from the other metrics: low complexity, no privileges, and high impact. Those conditions make the vulnerability a prime candidate for weaponization, even if initial delivery requires local file processing.
What to Watch Next
No active exploitation has been reported, but the gap between patch release and attack attempts is shrinking. Threat actors often reverse-engineer updates to develop exploits. Microsoft has not revealed details about the specific file format or trigger, but that may change as researchers begin their own analysis. Keep an eye on CISA’s Known Exploited Vulnerabilities catalog—if this CVE appears there, the clock will be ticking even louder.
For now, the immediate task is clear: patch Office and SharePoint without delay. The terminology is awkward, but the danger is real.