CVE-2026-55033 is a Microsoft Word code-execution vulnerability that can be delivered by a remote attacker but must be triggered through local processing on the victim’s device. That distinction explains the apparently contradictory labels: Microsoft classifies the outcome as remote code execution, while the CVSS vector records the vulnerable operation itself as local.
Published in Microsoft’s July 14, 2026 security release, the flaw carries a CVSS 3.1 score of 7.8, rated High. Microsoft describes it as an integer overflow or wraparound in Word that can lead to a heap-based buffer overflow, allowing an unauthorized attacker to execute code in the context of the affected application.
The critical CVSS components are
Microsoft’s Security Response Center directly addresses the terminology in its CVE entry. The company says “remote” in the title refers to the attacker’s location, while exploitation is carried out locally after code or malicious content reaches the target machine.
An attacker could therefore prepare a malicious Word document and distribute it through email, a download, a collaboration platform, or another delivery channel. The attacker does not need to sit at the victim’s keyboard or already possess an interactive session on the computer. The attacker remains remote even though Word ultimately opens and processes the document locally.
This type of flaw is also commonly described as arbitrary code execution, or ACE. The important security outcome is that attacker-controlled code can run on the victim’s system—not that Word exposes a network service that accepts and executes commands directly from the internet.
That differs from a classic network-borne RCE vulnerability in a service such as Windows DHCP Server, HTTP.sys, or Remote Desktop Services. Those flaws may receive
Word is a document-processing application. Its attack surface frequently becomes reachable only after a file has been downloaded, attached, synchronized, or otherwise made available to the application. Once Word processes that file, the vulnerable action occurs on the local endpoint, resulting in
For CVE-2026-55033, Microsoft assigned the following vector:
Each element adds useful context:
The presence of
Likewise,
It does not promise that every stage of the attack occurs remotely or without user involvement. The CVSS vector, exploitation notes, and vulnerability description supply those qualifications.
This naming convention matters because administrators often use “RCE” as a high-level category when prioritizing patches. Code execution in Word can enable malware installation, data theft, ransomware deployment, or movement into other resources available to the signed-in user. Those consequences remain serious even when opening a document is required.
At the same time, the local vector and required interaction make CVE-2026-55033 materially different from an unauthenticated
The National Vulnerability Database reproduces Microsoft’s 7.8 score and describes the underlying weakness as an integer overflow or wraparound capable of producing a heap-based buffer overflow. Its record maps the issue to CWE-190 and CWE-122, while noting that NIST had not yet completed its own enrichment when the entry was published.
Microsoft’s affected-product information spans Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, supported Office editions for macOS, and several SharePoint Server releases. Office for Mac builds earlier than 16.111.26071215 are listed as affected, while Windows Office servicing follows Microsoft’s applicable security-release channels.
SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition also appear in the affected-product data. Administrators should consequently review the actual deployment entries in Microsoft’s Security Update Guide rather than assuming this is only a desktop Word patch.
Microsoft 365 Apps administrators should confirm that devices have received the current Office security build through their configured update channel. Organizations running perpetual Office editions or on-premises SharePoint should verify installation through their normal inventory and update-compliance tools, including Microsoft Configuration Manager, Intune reporting, or the Office deployment management platform in use.
Until patch coverage is complete, standard document defenses remain relevant. Email attachment filtering, Microsoft Defender protections, Protected View, Mark of the Web handling, application control, and restrictions on untrusted Office content can reduce exposure, but they are not substitutes for installing the vendor fix.
The correct reading is therefore straightforward: CVE-2026-55033 permits a remotely located attacker to achieve code execution, but the malicious content must be processed on the target machine. RCE describes the security consequence and attacker relationship;
Published in Microsoft’s July 14, 2026 security release, the flaw carries a CVSS 3.1 score of 7.8, rated High. Microsoft describes it as an integer overflow or wraparound in Word that can lead to a heap-based buffer overflow, allowing an unauthorized attacker to execute code in the context of the affected application.
The critical CVSS components are
AV:L/AC:L/PR:N/UI:R. In practical terms, exploitation requires local handling of malicious content and user interaction, but the attacker does not need an existing account or privileges on the target system.
“Remote” Describes the Attacker, Not the Final Instruction
Microsoft’s Security Response Center directly addresses the terminology in its CVE entry. The company says “remote” in the title refers to the attacker’s location, while exploitation is carried out locally after code or malicious content reaches the target machine.An attacker could therefore prepare a malicious Word document and distribute it through email, a download, a collaboration platform, or another delivery channel. The attacker does not need to sit at the victim’s keyboard or already possess an interactive session on the computer. The attacker remains remote even though Word ultimately opens and processes the document locally.
This type of flaw is also commonly described as arbitrary code execution, or ACE. The important security outcome is that attacker-controlled code can run on the victim’s system—not that Word exposes a network service that accepts and executes commands directly from the internet.
That differs from a classic network-borne RCE vulnerability in a service such as Windows DHCP Server, HTTP.sys, or Remote Desktop Services. Those flaws may receive
AV:N because an attacker can reach the vulnerable component across a network connection without first placing content on the local machine.Word is a document-processing application. Its attack surface frequently becomes reachable only after a file has been downloaded, attached, synchronized, or otherwise made available to the application. Once Word processes that file, the vulnerable action occurs on the local endpoint, resulting in
AV:L.CVSS Measures the Exploitation Path More Narrowly
The CVSS Attack Vector metric does not simply ask whether an attacker can start the campaign from another country or send the payload over the internet. It evaluates how close the attacker must be to the vulnerable component when exploitation takes place.For CVE-2026-55033, Microsoft assigned the following vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HEach element adds useful context:
AV:Lindicates that the vulnerable Word processing operation occurs locally.AC:Lmeans Microsoft considers the exploitation conditions to have low complexity.PR:Nmeans the attacker does not need privileges on the target before exploitation.UI:Rmeans another person must perform an action, such as opening or otherwise processing the malicious content.S:Uindicates that the security authority affected by exploitation remains unchanged.C:H/I:H/A:Hreflects potentially high impact to confidentiality, integrity, and availability.
UI:R rating is especially important. CVE-2026-55033 is not described as a wormable vulnerability that automatically compromises an exposed Word installation over the network. Successful exploitation depends on local processing initiated through user interaction.The presence of
PR:N does not contradict AV:L. Privileges Required measures whether the attacker must already hold permissions in the vulnerable environment; Attack Vector measures the route to the vulnerable component. A malicious file can be processed locally even though the person who created and sent it has no account on the receiving computer.Likewise,
AV:L should not be read as meaning that an attacker needs physical access. CVSS has a separate AV:P designation for attacks requiring physical interaction. A remotely supplied document that is later opened on an endpoint can still be a local-vector exploit.The Title Communicates Impact Better Than Delivery Mechanics
Microsoft’s vulnerability titles generally emphasize the affected product and the resulting vulnerability class. “Microsoft Word Remote Code Execution Vulnerability” tells defenders that successful exploitation can cross the boundary from malformed document content into attacker-controlled execution.It does not promise that every stage of the attack occurs remotely or without user involvement. The CVSS vector, exploitation notes, and vulnerability description supply those qualifications.
This naming convention matters because administrators often use “RCE” as a high-level category when prioritizing patches. Code execution in Word can enable malware installation, data theft, ransomware deployment, or movement into other resources available to the signed-in user. Those consequences remain serious even when opening a document is required.
At the same time, the local vector and required interaction make CVE-2026-55033 materially different from an unauthenticated
AV:N/UI:N server vulnerability. Security teams should not treat all RCE labels as equivalent. The title identifies the possible result; the vector explains how an attacker gets there.The National Vulnerability Database reproduces Microsoft’s 7.8 score and describes the underlying weakness as an integer overflow or wraparound capable of producing a heap-based buffer overflow. Its record maps the issue to CWE-190 and CWE-122, while noting that NIST had not yet completed its own enrichment when the entry was published.
Microsoft’s affected-product information spans Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, supported Office editions for macOS, and several SharePoint Server releases. Office for Mac builds earlier than 16.111.26071215 are listed as affected, while Windows Office servicing follows Microsoft’s applicable security-release channels.
SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition also appear in the affected-product data. Administrators should consequently review the actual deployment entries in Microsoft’s Security Update Guide rather than assuming this is only a desktop Word patch.
Patching Still Outranks Debating the Label
Microsoft released fixes for CVE-2026-55033 as part of the July 14, 2026 security updates. Word 2016 is serviced through KB5002890, while associated SharePoint packages include updates such as KB5002882 for SharePoint Server Subscription Edition and KB5002892 for the SharePoint Server 2016 Language Pack.Microsoft 365 Apps administrators should confirm that devices have received the current Office security build through their configured update channel. Organizations running perpetual Office editions or on-premises SharePoint should verify installation through their normal inventory and update-compliance tools, including Microsoft Configuration Manager, Intune reporting, or the Office deployment management platform in use.
Until patch coverage is complete, standard document defenses remain relevant. Email attachment filtering, Microsoft Defender protections, Protected View, Mark of the Web handling, application control, and restrictions on untrusted Office content can reduce exposure, but they are not substitutes for installing the vendor fix.
The correct reading is therefore straightforward: CVE-2026-55033 permits a remotely located attacker to achieve code execution, but the malicious content must be processed on the target machine. RCE describes the security consequence and attacker relationship;
AV:L describes the final exploitation path.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com