Microsoft has patched CVE-2026-55038, a Microsoft Word remote code execution vulnerability caused by a stack-based buffer overflow. The flaw carries a CVSS 3.1 score of 7.8 and an Important severity rating, making the July 14, 2026 Office updates the direct fix for affected Windows and Mac installations.
Detailed in Microsoft’s Security Update Guide and included in the July 2026 Patch Tuesday release, CVE-2026-55038 can let an unauthorized attacker execute code in the context of the user running Word. Microsoft says the vulnerability was neither publicly disclosed nor exploited when the update shipped, and assesses exploitation as “less likely.”
That lowers the immediate zero-day pressure, but it does not make the patch optional. Word remains a common delivery vehicle for phishing attachments, and a memory-corruption flaw capable of code execution gives attackers a potentially useful path once enough technical information is available to reproduce it.
CVE-2026-55038 is classified as remote code execution, but its CVSS attack vector is local rather than network-based. The distinction matters: an attacker cannot simply scan an exposed Windows PC and exploit Word over the internet.
The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, the attack has low complexity, requires no prior privileges, but does require user interaction. A victim would typically need to open or otherwise process attacker-controlled content before the vulnerable Word component could be reached.
If exploitation succeeds, the attacker could gain the same permissions as the current user. That may allow access to documents, browser data and mapped network resources, along with the ability to install malware or modify files where the user has sufficient rights. Users operating with local administrator privileges would expose more of the system than those working under standard accounts.
The underlying weakness is CWE-121, a stack-based buffer overflow. This class of flaw occurs when software writes more data to a stack buffer than the allocated space can hold, potentially corrupting nearby control data. Carefully constructed input can sometimes turn that corruption into attacker-directed code execution rather than a simple application crash.
Microsoft has not published enough file-format or parser-level detail to identify the precise Word feature involved. There is also no public proof-of-concept associated with the vulnerability at publication time. Administrators should therefore avoid building narrowly targeted mitigations around assumptions about DOCX, RTF or another specific format.
Affected products include:
SharePoint Server 2016 is fixed at build 16.0.5561.1001, while SharePoint Server 2019 must reach 16.0.10417.20175. SharePoint Server Subscription Edition must be brought to build 16.0.19725.20434. Microsoft’s July Office update catalog lists KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019 and KB5002882 for Subscription Edition, with separate language-pack packages where applicable.
Those SharePoint entries are important because an inventory search limited to desktop installations of WINWORD.EXE may miss server-side exposure. Organizations running on-premises SharePoint should review the CVE against both their Office estate and their farm patch levels.
Microsoft 365 Apps generally receives security fixes through its servicing channels rather than a traditional standalone MSI package. Administrators using update rings, delayed channels or deployment controls should verify the installed Office build instead of assuming Microsoft 365 automatically means current.
This distinction regularly creates confusion around Office vulnerabilities. “Remote code execution” describes an attacker’s ability to cause code to run from a remote position, often by delivering malicious content, while “local” in the CVSS vector describes where the vulnerable processing action occurs. The attacker does not necessarily need an existing local account, but the target must be persuaded to interact with the content.
CVE-2026-55038 also arrived in an unusually large July Patch Tuesday release. BleepingComputer cataloged hundreds of Microsoft flaws in the month’s rollout, including numerous Office, Word, Excel, PowerPoint and SharePoint vulnerabilities. The Zero Day Initiative likewise recorded CVE-2026-55038 as one of several 7.8-rated Word code-execution bugs fixed in the same cycle.
That clustering increases the value of deploying the complete Office update rather than trying to isolate one CVE. KB5002890 addresses multiple Word vulnerabilities, including additional use-after-free, heap-overflow, stack-overflow and integer-overflow issues. A system patched only through an improvised workaround for CVE-2026-55038 could remain exposed to closely related document-processing attacks.
Administrators should pay particular attention to machines that are frequently missed by routine Office servicing: virtual desktop images, offline laptops, shared workstations, kiosk-like systems with Office installed, and devices held on deferred Microsoft 365 update channels. Golden images should be patched before new virtual machines or session hosts are provisioned from them.
Email filtering, Protected View and attachment sandboxing remain useful layers, but they are not substitutes for fixing the vulnerable code. Blocking unexpected Office attachments and preventing users from working as local administrators can reduce exposure while rollout testing is underway.
SharePoint administrators face a separate operational requirement. Installing SharePoint security binaries may need to be followed by the appropriate SharePoint Products Configuration Wizard or PowerShell upgrade procedure, depending on the package and farm configuration. Teams should verify both the installed update and the resulting farm build rather than treating a successful package installation as the end of the job.
CVE-2026-55038 was vendor-confirmed when Microsoft published it on July 14, 2026, and the available technical data identifies a specific stack-buffer weakness rather than merely asserting that an undesirable behavior exists. The remaining uncertainty concerns exploit implementation, not whether the vulnerability is real.
With no reported exploitation and no public disclosure at release, organizations have room for normal compatibility testing. They do not have a strong reason to defer the July Office updates beyond their standard Patch Tuesday window, particularly when the same packages remove several other Word code-execution paths alongside CVE-2026-55038.
Detailed in Microsoft’s Security Update Guide and included in the July 2026 Patch Tuesday release, CVE-2026-55038 can let an unauthorized attacker execute code in the context of the user running Word. Microsoft says the vulnerability was neither publicly disclosed nor exploited when the update shipped, and assesses exploitation as “less likely.”
That lowers the immediate zero-day pressure, but it does not make the patch optional. Word remains a common delivery vehicle for phishing attachments, and a memory-corruption flaw capable of code execution gives attackers a potentially useful path once enough technical information is available to reproduce it.
A Document Still Has to Reach the User
CVE-2026-55038 is classified as remote code execution, but its CVSS attack vector is local rather than network-based. The distinction matters: an attacker cannot simply scan an exposed Windows PC and exploit Word over the internet.The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, the attack has low complexity, requires no prior privileges, but does require user interaction. A victim would typically need to open or otherwise process attacker-controlled content before the vulnerable Word component could be reached.
If exploitation succeeds, the attacker could gain the same permissions as the current user. That may allow access to documents, browser data and mapped network resources, along with the ability to install malware or modify files where the user has sufficient rights. Users operating with local administrator privileges would expose more of the system than those working under standard accounts.
The underlying weakness is CWE-121, a stack-based buffer overflow. This class of flaw occurs when software writes more data to a stack buffer than the allocated space can hold, potentially corrupting nearby control data. Carefully constructed input can sometimes turn that corruption into attacker-directed code execution rather than a simple application crash.
Microsoft has not published enough file-format or parser-level detail to identify the precise Word feature involved. There is also no public proof-of-concept associated with the vulnerability at publication time. Administrators should therefore avoid building narrowly targeted mitigations around assumptions about DOCX, RTF or another specific format.
The Affected List Extends Beyond Word 2016
Microsoft’s product data identifies both perpetual Office releases and subscription installations as affected. The scope includes 32-bit and 64-bit Windows deployments, several Mac editions, and supported SharePoint Server products that use Office document-processing components.Affected products include:
- Microsoft 365 Apps for enterprise on 32-bit and x64 Windows systems requires the applicable Office security release.
- Microsoft Office 2019 on 32-bit and x64 Windows systems is affected.
- Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
- Microsoft Office 365 for Mac must be updated to version 16.111.26071215 or later.
- Microsoft Office LTSC for Mac 2021 and LTSC for Mac 2024 must be updated to version 16.111.26071215 or later.
- Microsoft Word 2016 must be updated to build 16.0.5561.1000 through KB5002890.
- SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition require their corresponding July security updates.
SharePoint Server 2016 is fixed at build 16.0.5561.1001, while SharePoint Server 2019 must reach 16.0.10417.20175. SharePoint Server Subscription Edition must be brought to build 16.0.19725.20434. Microsoft’s July Office update catalog lists KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019 and KB5002882 for Subscription Edition, with separate language-pack packages where applicable.
Those SharePoint entries are important because an inventory search limited to desktop installations of WINWORD.EXE may miss server-side exposure. Organizations running on-premises SharePoint should review the CVE against both their Office estate and their farm patch levels.
Microsoft 365 Apps generally receives security fixes through its servicing channels rather than a traditional standalone MSI package. Administrators using update rings, delayed channels or deployment controls should verify the installed Office build instead of assuming Microsoft 365 automatically means current.
Important Does Not Mean Low Impact
The 7.8 score reflects a potentially complete loss of confidentiality, integrity and availability after successful exploitation. Microsoft’s Important rating is driven largely by the need for user interaction and the local CVSS attack vector, not by a limited post-exploitation outcome.This distinction regularly creates confusion around Office vulnerabilities. “Remote code execution” describes an attacker’s ability to cause code to run from a remote position, often by delivering malicious content, while “local” in the CVSS vector describes where the vulnerable processing action occurs. The attacker does not necessarily need an existing local account, but the target must be persuaded to interact with the content.
CVE-2026-55038 also arrived in an unusually large July Patch Tuesday release. BleepingComputer cataloged hundreds of Microsoft flaws in the month’s rollout, including numerous Office, Word, Excel, PowerPoint and SharePoint vulnerabilities. The Zero Day Initiative likewise recorded CVE-2026-55038 as one of several 7.8-rated Word code-execution bugs fixed in the same cycle.
That clustering increases the value of deploying the complete Office update rather than trying to isolate one CVE. KB5002890 addresses multiple Word vulnerabilities, including additional use-after-free, heap-overflow, stack-overflow and integer-overflow issues. A system patched only through an improvised workaround for CVE-2026-55038 could remain exposed to closely related document-processing attacks.
Patch Verification Matters More Than the CVE Count
For managed Windows environments, the immediate task is to identify Office builds that have not received the July 14 security release. Microsoft Configuration Manager, Microsoft Intune, Windows Update for Business reporting, PowerShell inventory scripts and third-party vulnerability scanners can all help, but results should be checked against actual application versions.Administrators should pay particular attention to machines that are frequently missed by routine Office servicing: virtual desktop images, offline laptops, shared workstations, kiosk-like systems with Office installed, and devices held on deferred Microsoft 365 update channels. Golden images should be patched before new virtual machines or session hosts are provisioned from them.
Email filtering, Protected View and attachment sandboxing remain useful layers, but they are not substitutes for fixing the vulnerable code. Blocking unexpected Office attachments and preventing users from working as local administrators can reduce exposure while rollout testing is underway.
SharePoint administrators face a separate operational requirement. Installing SharePoint security binaries may need to be followed by the appropriate SharePoint Products Configuration Wizard or PowerShell upgrade procedure, depending on the package and farm configuration. Teams should verify both the installed update and the resulting farm build rather than treating a successful package installation as the end of the job.
CVE-2026-55038 was vendor-confirmed when Microsoft published it on July 14, 2026, and the available technical data identifies a specific stack-buffer weakness rather than merely asserting that an undesirable behavior exists. The remaining uncertainty concerns exploit implementation, not whether the vulnerability is real.
With no reported exploitation and no public disclosure at release, organizations have room for normal compatibility testing. They do not have a strong reason to defer the July Office updates beyond their standard Patch Tuesday window, particularly when the same packages remove several other Word code-execution paths alongside CVE-2026-55038.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Word 2016: May 12, 2026 (KB5002858) | Microsoft Support
Description of the security update for Word 2016: May 12, 2026 (KB5002858)support.microsoft.com - Related coverage: sra.io
- Related coverage: windowscentral.com
Microsoft patches Notepad's severe Markdown security flaw | Windows Central
Notepad just picked up Markdown support last year, much to the chagrin of many longtime users. Microsoft has now provided details of a severe vulnerability.www.windowscentral.com - Related coverage: pcgamer.com
Thanks to Microsoft adding all those extra features to Notepad, it now unfortunately sports one more: An exploitation vulnerability with a high security rating | PC Gamer
At least it's easy enough to avoid, until Notepad gets patched to fix the problem.www.pcgamer.com