CVE-2026-55124: Patch Microsoft Word Information Disclosure Flaw

CVE-2026-55124 is a Microsoft Word information-disclosure vulnerability, not a remote-code-execution flaw, despite an apparently mismatched explanation on Microsoft’s Security Update Guide. The authoritative CVE title, description, and CVSS vector all describe a local attack that exposes confidential information after user interaction.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 5.5. Microsoft classifies it as Important, while the National Vulnerability Database currently lists it as Medium and is still awaiting its own enrichment analysis.
The confusing text answers a question about why “Remote” appears in an RCE title, explaining that an attacker may deliver malicious content remotely even though the vulnerable application processes it locally. That explanation is broadly applicable to many document-based Office vulnerabilities, but it does not match CVE-2026-55124’s published title or impact.

Cybersecurity warning flags a CVE vulnerability exposing sensitive Office documents and information.The CVSS Vector Tells the Actual Story​

Microsoft assigned CVE-2026-55124 the following CVSS 3.1 vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Each component narrows down the likely exploitation scenario:
  • The attack vector is Local, meaning exploitation occurs through an action on the vulnerable system rather than through a network-facing Word service.
  • Attack complexity is Low, indicating that exploitation does not require unusual environmental conditions.
  • No privileges are required before attempting exploitation.
  • User interaction is required, so a victim must open or otherwise process attacker-controlled content.
  • Scope remains unchanged, meaning exploitation does not cross into a different security authority.
  • Confidentiality impact is High, while integrity and availability impacts are None.
That combination is consistent with information disclosure, not arbitrary code execution. A successful attacker may obtain data that should not have been exposed, but the published scoring does not credit the flaw with modifying information, disrupting Word, or executing attacker-controlled instructions.
The CVE description submitted by Microsoft is equally direct: improper validation of a specified type of input in Microsoft Office Word allows an unauthorized attacker to disclose information locally. The associated weakness classifications, CWE-20 and CWE-1287, concern improper input validation and insufficient validation of specified input types.
None of those fields identifies code execution as the impact.

Microsoft’s RCE Answer Appears to Be Stray Boilerplate​

The most likely explanation is a Security Update Guide content error. Microsoft vulnerability pages frequently include standardized questions clarifying why a vulnerability with AV:L can still carry “Remote Code Execution” in its title. That distinction matters for Office vulnerabilities because an attacker can send a malicious document from another computer while Word ultimately opens and parses it on the victim’s machine.
In CVSS terminology, local attack vector describes the access path needed to reach the vulnerable component. It does not necessarily mean the attacker must be physically present, already signed in, or sitting at the keyboard.
For example, an attacker could email a specially crafted Word document or place it on a file-sharing service. The attacker is remote in the ordinary sense, but the exploit is activated locally when the recipient opens the document. Microsoft sometimes calls the resulting impact remote code execution because the remotely located attacker can cause code to run on the victim’s endpoint.
That is the distinction Microsoft’s answer attempts to explain. However, the CVE-2026-55124 page is titled “Microsoft Word Information Disclosure Vulnerability,” so the question’s premise does not apply. The page does not need to reconcile an RCE title with AV:L because its title does not claim RCE in the first place.
This looks like an FAQ entry copied from another Office advisory, a display defect in the Security Update Guide, or metadata associated with the wrong impact category. Until Microsoft modifies the advisory, administrators should treat the structured CVE fields—not the mismatched RCE explanation—as the reliable description of the vulnerability.

Word, Microsoft 365 Apps, and SharePoint Are Affected​

Microsoft’s CVE record identifies affected releases across the supported Office and SharePoint portfolio. These include Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024.
The exposure also extends to server products that use Word components, including SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Microsoft’s July 2026 Office update documentation includes CVE-2026-55124 among the vulnerabilities addressed by the corresponding SharePoint packages.
For Office 2016 deployments, Microsoft lists the July 14 Word security update as KB5002890. SharePoint administrators should consult the package applicable to their installed release, including KB5002882 for SharePoint Server Subscription Edition and KB5002892 for the SharePoint Server 2016 Language Pack.
The SharePoint Server Subscription Edition package is build 16.0.19725.20434. Microsoft’s CVE data also identifies patched thresholds of 16.0.5561.1001 for SharePoint Server 2016 and 16.0.10417.20175 for SharePoint Server 2019. Patched Office versions vary by product and update channel, while the corrected Mac release is identified as version 16.111.26071215.
Microsoft recommends installing all July 2026 Office security updates that apply to each environment. Microsoft 365 Apps installations normally receive fixes through their configured update channel, whereas MSI-based Office and on-premises SharePoint deployments may require administrators to approve and deploy specific packages.

Information Exposure Still Deserves Prompt Patching​

CVE-2026-55124 is not presented as an actively exploited zero-day. Microsoft’s published data indicates that exploitation had not been observed and that the vulnerability was not publicly disclosed before the July 14 release. CISA’s initial SSVC assessment likewise records no known exploitation and says automated exploitation is not expected.
The required user interaction also limits drive-by exploitation. An attacker reportedly needs to persuade a user to open or process crafted content, making email attachments, collaboration platforms, shared folders, and document download links the most plausible delivery routes.
Still, a High confidentiality impact means the information exposed by successful exploitation could be significant. The public advisory does not identify the precise data that Word may reveal, so administrators should not assume the flaw is limited to harmless metadata.
Endpoint controls remain useful while updates move through testing. Organizations should continue blocking unexpected Office attachments, scanning files at email and web gateways, and training users not to open documents from untrusted sources. SharePoint farms require particular attention because patching involves more than updating desktop Office clients and may include product-specific prerequisites or post-installation configuration.
The immediate operational conclusion is straightforward: deploy the appropriate July 14, 2026 Office and SharePoint updates, but do not classify CVE-2026-55124 as an RCE based solely on Microsoft’s mismatched FAQ text. Unless Microsoft revises the CVE record itself, its title, description, CVSS impact metrics, and supporting update documentation consistently define it as a Microsoft Word information-disclosure vulnerability.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top