On July 14, 2026, Microsoft released a critical security update for Microsoft PowerPoint that closes a dangerous vulnerability allowing attackers to run arbitrary code on your PC. The flaw, tracked as CVE-2026-55120, is a heap-based buffer overflow that gets triggered when you open a specially crafted presentation file. While Microsoft rates it \"Important\" and the CVSS score is 7.8 (High), the potential impact is severe: a successful exploit gives the attacker the same control over your system as your user account has.

This isn't the typical network worm that spreads automatically. Instead, it's a more insidious attack relying on social engineering — convincing you to double-click a file. And in a world where PowerPoint decks are traded daily in emails, messaging apps, and cloud shares, that's a serious risk.

The Patch: What You're Installing

Microsoft's July update for PowerPoint addresses three remote code execution vulnerabilities in total: CVE-2026-55120, CVE-2026-55123, and CVE-2026-55043. They are all similar in nature — parsing flaws that corrupt memory when PowerPoint processes a malicious file.

The fix arrives through normal channels. If you use a Microsoft 365 subscription with automatic updates enabled, you likely already have it. For standalone Microsoft Office 2016 users who installed via MSI (the classic installer), Microsoft issued a specific patch: KB5002867. You can grab it from Windows Update or the Microsoft Update Catalog.

Affected versions include:
- Microsoft 365 Apps for Enterprise (Windows and Mac)
- Office 2019, Office LTSC 2021, Office LTSC 2024
- PowerPoint 2016 (version below 16.0.5561.1000 on Windows)
- Microsoft 365 for Mac (versions below 16.111.26071215)
- Office LTSC for Mac 2021 and 2024

The update also covers Mac editions, which is a reminder that Office for Mac isn't immune to such threats. If you're on a Mac running Office, you need to apply this patch.

Who Needs This Update?

If you open PowerPoint files — even occasionally — from anyone other than yourself, you are at risk. That includes home users, students, corporate employees, and IT professionals. The attack vector is local because the vulnerability lies within the PowerPoint application itself, not in a network service. But the delivery mechanism is remote: an email attachment, a download link, a shared OneDrive file, or a USB stick.

Microsoft's security advisory clarifies a common misconception: the CVE title calls this \"Remote Code Execution\" even though the CVSS metric says \"Attack Vector: Local.\" The company explains that \"Remote\" in the title refers to the attacker's location — the code runs on your machine, but the attacker doesn't need to be sitting at your keyboard. The exploitation requires that PowerPoint process the malformed file locally, which counts as a local attack vector per CVSS rules.

This distinction matters for defenders, not for the average user. For you, the takeaway is simple: don't open suspicious PowerPoint files, and install the update.

The Attack in Practice: How a File Becomes a Weapon

Imagine receiving an email that appears to be from a colleague with a subject line \"Updated Q3 sales deck — please review.\" The attachment is a .pptx file. You open it, and PowerPoint loads the content. Behind the scenes, a malicious structure in the file overwrites a heap buffer, allowing the attacker's code to execute without any further action from you.

Because the attack runs within the context of PowerPoint, it inherits your user privileges. If you're logged in as an administrator, the attacker gains full control of the system. A standard user account limits the damage but still allows data theft, ransomware, or further escalation.

The need for user interaction is the main reason this vulnerability scored 7.8 instead of a critical 9.0 or higher. It's not a zero-click exploit. But social engineering is a well-oiled machine, and PowerPoint files are trusted in business environments.

Timeline and Precedent

Microsoft disclosed this vulnerability on July 14, 2026, as part of its regular Patch Tuesday. The company hasn't reported any active exploitation in the wild, but the details are now public, so attacks may begin soon.

This is not an unusual type of bug. Microsoft Office has a history of similar memory corruption vulnerabilities. In recent years, we've seen numerous patches for Excel, Word, and PowerPoint that follow the same pattern: a malformed document parses unexpectedly, leading to code execution. The July 2026 batch included three PowerPoint fixes, indicating researchers or internal teams found a cluster of related issues.

Immediate Steps for Users and Admins

For everyone:
- Run Windows Update and ensure your Office suite is up to date. On a PC, open any Office app, go to File > Account > Update Options > Update Now.
- If you use a Mac, open an Office app, click Help > Check for Updates.
- Avoid opening PowerPoint files from unknown sources. Even if a file looks legitimate, verify the sender through a separate channel.
- Enable Protected View and Mark-of-the-Web features. These are on by default in modern Office, but double-check under File > Options > Trust Center > Trust Center Settings.

For IT administrators:
- Immediately deploy the July 2026 security updates for Microsoft Office across your fleet. For click-to-run installations, the update should be pushed via your management policies.
- For MSI-based PowerPoint 2016 installations, deploy KB5002867. This update is available in the Microsoft Update Catalog for offline deployment.
- Consider blocking PowerPoint attachments at your email gateway, especially .pptx files with macros or unusual structures. Use attachment sandboxing if available.
- Enforce the principle of least privilege: users should not run with local administrator accounts.
- Monitor endpoint detection logs for suspicious child processes spawned by POWERPNT.EXE, such as cmd.exe or powershell.exe, which could indicate exploitation.

The Bigger Picture

This vulnerability underscores a persistent reality: the document you open can be as dangerous as any executable file. While Microsoft has hardened Office over the years with features like Protected View and AMSI integration, parsing complex formats like PowerPoint still presents attack surface.

As we move toward a more cloud-centric Office, some of these risks shift to server-side protections in Microsoft 365. But for the foreseeable future, local processing of files remains essential, and so do patches like this one.

Keep your systems updated, practice scepticism about attachments, and remember: July 14's update is one you don't want to skip.