On July 14, 2026, Microsoft pushed out security patches that close a high-severity code execution hole in Microsoft Word—tracked as CVE-2026-55128—that could give attackers full control of your computer simply by tricking you into opening a weaponized document. But before you click “Check for updates” and call it a day, understand this: the fix isn’t one-size-fits-all, and whether you’ve actually applied the patch depends entirely on how your Office software was installed. If you’re a home user running Microsoft 365, you might already be safe. If you’re an IT admin managing hundreds of PCs with a mix of Office 2016 MSI and Click-to-Run installations, there’s a real chance some machines are still exposed—even if your management console says they’re compliant.
Microsoft’s advisory rates the vulnerability with a CVSS 3.1 score of 7.8, putting it firmly in the “high severity” category. While exploitation requires a local user to open a malicious file—meaning it’s not a worm that can spread across networks unassisted—the potential damage is serious: successful attacks can achieve high impact on confidentiality, integrity, and availability. The root cause is a classic use-after-free memory bug (CWE-416), where Word mishandles memory after it has been freed, allowing a cleverly crafted document to corrupt the application and hijack its execution.
What July’s Patch Actually Changed
The security update addresses the flaw by correcting how Word manages memory when processing certain content, though Microsoft hasn’t publicly shared the precise document format or interaction needed to trigger the exploit. What we do know is the affected software list is long and surprisingly varied:
- Microsoft 365 Apps (enterprise) on Windows and macOS
- Office 2019, Office LTSC 2021, and Office LTSC 2024 (both retail and volume-licensed)
- Office 2016 specifically, but only the MSI-based perpetual version—more on that below
- Office for Mac (including Office 365 for Mac, LTSC for Mac 2021, and 2024)
- SharePoint Server 2016, 2019, and Subscription Edition
That last entry trips up many organizations. SharePoint farms that process or index Office documents are vulnerable unless updated to specific builds, and as we’ll see, patching SharePoint isn’t the same as running Windows Update.
The fix arrived as part of Microsoft’s July 2026 security release, with distinct packages for different products. For Word 2016 MSI edition on Windows, the magic number is KB5002890, which raises the Office build to version 16.0.5561.1000 (32-bit or 64-bit). If you’re running Microsoft 365 Apps via the Click-to-Run model, you won’t see KB5002890 at all; instead, you need to ensure your Office updated to the security build that your update channel delivers—and those build numbers vary per channel. On Mac, the cutoff is version 16.111.26071215, which rolled out through the normal Microsoft AutoUpdate mechanism. For SharePoint, separate cumulative updates (KB5002891, KB5002892, KB5002883, etc.) must be installed in a specific order across all servers in the farm.
What This Means for You—Really
The practical impact splits cleanly along user lines.
For Everyday Home and Small Business Users
If you have a Microsoft 365 subscription and automatic updates turned on, you’re likely already protected—the patch was delivered silently in the background. To verify, open Word, go to File > Account, and check that the version number is at or above the build listed for your update channel (you can find that in the Microsoft 365 update history page). On a Mac? Click Word > About Word and confirm it’s 16.111.26071215 or newer. If you’re still using an ancient Office 2016 that you bought once and never updated, you need to manually install KB5002890 from Microsoft Update or the catalog; Windows Update may offer it if you check for updates, but many folks put that off indefinitely.
The risk to you is real. A single malicious document arriving via email attachment, shared cloud link, or even a USB stick could compromise your machine. Since most home users run with administrator-level accounts (a bad habit, but common), an attacker who exploits this bug could install ransomware, keyloggers, or stealthy backdoors. Don’t let the “user interaction required” label lull you into complacency—social engineering works, and people open files they shouldn’t all the time.
For IT Administrators and Security Teams
This is where things get hairy. You might have a patch management tool that reports 100% compliance after pushing July updates, but that report could be lying. The reason: Office 2016 and later often coexist in multiple servicing models under the same roof. An organization might have some PCs with Office 2016 MSI (often from volume licensing programs), others with Microsoft 365 Apps (Click-to-Run), and perhaps even a mix on the same machine if the user installed both. Your tool might only scan for the Click-to-Run channel update and miss the MSI-based Word 2016 because it treats them as separate products. Or vice versa.
Here’s a quick breakdown to avoid mistakes:
| Installation Type | Patch Method | Key Verification |
|---|---|---|
| Office 2016 MSI (perpetual) | KB5002890 via WSUS, ConfigMgr, Microsoft Update Catalog | Word build 16.0.5561.1000 |
| Microsoft 365 Apps (C2R) | Through update channel (Current, Monthly Enterprise, etc.) | Build matches the security baseline for your channel as of July 14 |
| Office 2019 / LTSC 2021/2024 (C2R) | Microsoft Update or AutoUpdate (Mac) | Windows build ≥ specific channel build; Mac ≥ 16.111.26071215 |
| SharePoint Server 2016/2019/Subscription | Separate cumulative updates installed in farm order | Server build ≥ fixed build listed in MSRC (varies) |
For SharePoint, you must update every server, not just front-ends—a content processing server that converts documents is equally vulnerable. And you can’t just drop the Word 2016 desktop patch on a SharePoint box; the server components are different binaries. Microsoft’s guidance mandates a specific installation sequence to avoid downtime or configuration errors. After updating, run the SharePoint Products Configuration Wizard on each server to complete the patch.
Endpoints are still the easiest target. Even if you’ve hardened email filters and endpoint detection, a user who deliberately downloads a file from a shared drive or a seemingly legitimate web link can bypass many protections. For now, while you’re patching, consider implementing attack surface reduction rules like “Block all Office applications from creating child processes” (rule ID 9e6c4e1f-7d60-472f-ba1a-b627527d5caf) in Microsoft Defender for Endpoint. But understand that these are compensations, not fixes.
How a Word Bug Became a SharePoint Problem Too
Microsoft Office vulnerabilities that spill into SharePoint are not new. The shared codebase that lets Word render documents for previews, search indexing, and other server-side operations means that any parsing flaw in the desktop application often replicates on the server. In CVE-2026-55128’s case, the advisory explicitly calls out SharePoint Server products—a practice Microsoft has followed more consistently since the 2017 SharePoint security revamp. The fact that no public exploit was observed at the time of release (per CISA’s initial SSVC assessment) is fortunate, but it’s no guarantee. History shows that once a patch is reverse-engineered, exploit code can appear within days.
The use-after-free bug class itself is a perennial headache. Memory-safe programming languages have reduced its prevalence, but Office’s long legacy and complex file-format parsing make it hard to eliminate entirely. Microsoft hasn’t said whether this flaw was found internally, reported by a security researcher, or perhaps through a bug bounty. What matters is that the patch is here now, and the window to deploy it is narrow.
What to Do Right Now
- Identify your Office installation type. On a Windows PC, you can check whether Office is Click-to-Run or MSI by reviewing the
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configurationregistry key; if it exists and contains aVersionToReportvalue, it’s C2R. For older Office 2016, look underHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstallfor a GUID that points to MSI. Alternatively, from Word, go to File > Account—if you see “Update Options,” it’s C2R; if you see only “About Word,” it’s MSI. - For MSI-based Office 2016: Deploy KB5002890. You can download the 32-bit or 64-bit package from the Microsoft Update Catalog or use WSUS/ConfigMgr. After installation, restart Word and verify the build number in File > Account.
- For Click-to-Run installs (Microsoft 365, Office 2019, LTSC): Trigger an update manually (File > Account > Update Options > Update Now) and confirm the version. For managed environments, ensure your update channel policy is configured to deliver the security build—you may need to temporarily move devices to a faster channel if you’re behind.
- For Mac: Open any Office app, go to Help > Check for Updates, install all available updates, then verify the version is 16.111.26071215 or later.
- For SharePoint: Apply the correct cumulative update for your server version (refer to the SharePoint update center) across all servers, reboot, and run the Configuration Wizard. Do not skip rollup dependencies; usually you’ll need to install the latest language-independent and then language-specific patches. The MSRC article lists specific KB numbers for each SharePoint edition; follow that list.
- Validate: Use a script or inventory tool that checks the actual file version of winword.exe (or the Word executable) rather than relying solely on the update deployment status. For SharePoint, check the database version or use the Central Administration health check.
- Reduce immediate risk: While you patch, remind users not to open documents from unknown sources, enable Mark of the Web protections, and consider removing local admin privileges from standard accounts if you haven’t already.
Outlook: Watch for Exploitation and Future Cumulative Updates
As of now, Microsoft states “no exploitation in the wild,” but that label can change. Security teams should monitor threat intelligence feeds and detection signatures for any sign of this CVE being used. Because the flaw resides in a widely deployed application, it’s an attractive target for both targeted attacks and commodity malware. Microsoft’s next Patch Tuesday in August will likely include additional quality and security fixes for Office; keep an eye out for any regressions introduced by the July update and test subsequent rollups promptly.
The bigger takeaway is that Office patching has gotten fragmented. The days when one service pack updated every Word installation are long gone. Admins must now master the intricacies of Click-to-Run servicing, MSI baselines, and cloud-connected update channels. If this episode surfaces gaps in your patch management processes, use it as a catalyst to map your Office deployment more thoroughly—because the next Word RCE won’t wait for you to catch up.