CVE-2026-55129: Patch Office RCE Heap Overflow (July 14)

CVE-2026-55129 can let an attacker run arbitrary code through Microsoft Office, but its CVSS attack vector is Local because exploitation requires code or malicious content to be processed on the target computer. Microsoft’s “Remote Code Execution” title describes the security impact and the attacker’s relationship to the victim; it does not mean the vulnerable Office component can be attacked directly over a network.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security updates. The Microsoft Security Response Center describes it as a heap-based buffer overflow and assigns it a CVSS 3.1 score of 7.8, rated High, with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
That vector is the clearest guide to the actual attack conditions. Exploitation has low complexity and requires no existing privileges, but it does require user interaction and local processing on the affected device.

Cybersecurity illustration showing a malicious document exploiting an office application with corrupted memory and code execution.“Remote” Describes the Outcome, Not the Packet Route​

The apparent contradiction comes from two classification systems describing different properties of the same vulnerability.
“Remote Code Execution” is an impact category. It means an attacker who is not already sitting at the victim’s keyboard may be able to cause attacker-controlled code to execute on the victim’s computer. The attacker could potentially initiate the chain from elsewhere, such as by arranging for a victim to receive and interact with malicious content.
CVSS Attack Vector, by contrast, describes how close the attacker must get to the vulnerable component when exploitation occurs. An AV:N rating would mean the attacker can reach that component through a network protocol or service. An AV:L rating means the vulnerable component is exploited through activity performed on the target system.
For CVE-2026-55129, Office is not described as listening for an unauthenticated request that independently triggers the buffer overflow. Something must be executed or processed locally, and Microsoft says the attacker or victim must execute code from the local machine to exploit the flaw.
Microsoft also notes that vulnerabilities in this category are sometimes described as arbitrary code execution, or ACE. That wording avoids implying that the vulnerable software is directly network-accessible, although “remote code execution” remains common terminology for attacks in which an outside party ultimately gains code execution on another person’s system.
The distinction can be reduced to two separate questions:
  • The vulnerability’s impact asks whether attacker-controlled code can run on the affected computer.
  • The attack-vector metric asks how the vulnerable component must be reached or invoked.
  • CVE-2026-55129 permits code execution, but its vulnerable Office code path must be triggered locally.
An email, chat message, cloud-storage link, or downloaded file can therefore be delivered remotely while still leading to an AV:L vulnerability. The network may transport the lure or payload, but it is not necessarily the interface through which the software flaw itself is exploited.

The Rest of the Vector Shows the Real Risk​

The other CVSS fields are important because “Local” can sound less serious than it is. CVE-2026-55129 does not require the attacker to possess a local account or authenticate to the target beforehand.
The PR:N metric means no privileges are required before exploitation. UI:R means user interaction is required, which is consistent with an attack chain in which a victim must open, launch, or otherwise process attacker-controlled material on the local machine.
AC:L indicates that Microsoft considers the attack complexity low. There are no unusual race conditions or highly specific environmental requirements represented in the base vector. Once the required local processing occurs, the vulnerability can produce high confidentiality, integrity, and availability impact.
Those three High ratings explain the 7.8 score:
  • Successful exploitation could expose data accessible to the compromised Office process or user.
  • It could allow an attacker to change files, settings, or other accessible resources.
  • It could disrupt Office or the wider user environment.
The scope remains unchanged, represented by S:U. In CVSS terms, that means the vulnerable component and the affected security authority remain within the same security scope. It does not mean the consequences are confined to a harmless Office crash.
Code would generally execute in the context of the user running Office. A user operating with administrative privileges could therefore expose more of the system than one using a standard account. Even under a standard account, however, access to documents, browser data, synchronized folders, network shares, and user-level persistence mechanisms can make an Office compromise consequential.
This is why AV:L should not be read as “an attacker must already control the computer.” The vector requires local execution or processing, not prior local compromise. The required step may be supplied by the victim’s interaction.

A Heap Overflow Makes the Office Process the Battleground​

Microsoft identifies CWE-122, a heap-based buffer overflow, as the underlying weakness. This class of vulnerability occurs when software writes more data to a heap allocation than the allocated memory can safely contain.
At minimum, memory corruption can cause the application to crash. Under exploitable conditions, carefully controlled corruption may alter program behavior and redirect execution toward attacker-selected instructions or data.
Office vulnerabilities of this kind are especially relevant to organizations because productivity applications routinely process content originating outside the security boundary. Word documents, spreadsheets, presentations, templates, embedded objects, and files synchronized from collaboration platforms all cross between users and organizations as part of normal work.
CVE-2026-55129’s UI:R rating gives administrators a useful control point, but it should not be treated as a complete mitigation. Security awareness, attachment filtering, Protected View, Microsoft Defender for Office 365, application-control policies, and least-privilege accounts can reduce exposure. None substitutes for correcting the vulnerable Office code.

The Affected Office Footprint Spans Windows and macOS​

The vulnerability affects a broad set of supported Office releases, according to Microsoft’s CVE data reproduced by the National Vulnerability Database. The affected product list includes Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 on Windows.
Microsoft also lists Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024. Mac installations should be updated to version 16.111.26071215 or later.
For the MSI-based Windows release of Office 2016, Microsoft identifies versions before 16.0.5561.1000 as affected. Microsoft 365 Apps and newer perpetual Office releases use their respective servicing channels and security-release baselines rather than a single universal fixed build in the public CVE product data.
Administrators should verify that July 14, 2026 Office security updates have reached every update channel in use. That includes devices that are rarely connected to the corporate network, virtual desktops, shared workstations, test images, and Macs managed outside the primary Windows patching platform.
Inventory checks should also distinguish Click-to-Run installations from MSI-based Office 2016 deployments. Applying a standalone MSI update to one product branch does not establish that Microsoft 365 Apps on another channel has received its corresponding fix.
CVE-2026-55129 was not a network-service vulnerability simply because Microsoft classified its impact as remote code execution. It was an Office memory-corruption flaw that an outside attacker could potentially weaponize, with the decisive exploit step occurring when attacker-controlled code or content was executed or processed on the victim’s machine. The practical response is therefore unchanged by the terminology: deploy the July 2026 Office updates and treat unexpected Office content as an execution boundary, not merely a document.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Official source: learn.microsoft.com
  4. Related coverage: techradar.com
  5. Related coverage: korporaalmedia.nl
 

Back
Top