Microsoft has released fixes for CVE-2026-50665, an out-of-bounds read vulnerability in Microsoft Office that can expose information and, under Microsoft’s CVSS assessment, potentially affect confidentiality, integrity, and availability. The vulnerability was published on July 14 as part of Microsoft’s July 2026 security updates, and organizations running Microsoft 365 Apps, Office LTSC, Office 2016, Office 2019, or supported Mac editions should treat it as a patching priority.
Microsoft’s Security Update Guide categorizes the issue as a Microsoft Office Information Disclosure Vulnerability. The National Vulnerability Database, using data submitted by Microsoft, describes the underlying flaw more precisely: an out-of-bounds read in Microsoft Office that allows an unauthorized attacker to disclose information locally. Microsoft assigned a CVSS 3.1 base score of 7.8, rated High by the scoring system, with the vector
That combination deserves attention because the public title is narrower than the severity vector. “Information disclosure” describes the stated vulnerability impact, but the score’s high confidentiality, integrity, and availability components indicate Microsoft believes successful exploitation could have consequences beyond merely reading a benign document property or exposing a small amount of memory.
Microsoft has not publicly described the vulnerable Office component, the crafted content required, or the nature of the information that could be exposed. There is also no public indication that CVE-2026-50665 has been exploited in the wild or publicly disclosed before the patch release. That lack of technical detail is helpful in the short term, but it should not be mistaken for a reason to defer updates: patch diffing and security research commonly follow a Patch Tuesday disclosure.
The CVSS vector matters. CVE-2026-50665 is not described as remotely exploitable without interaction; the vector assigns a local attack path and requires user interaction. In practical Office terms, that often means an attacker needs to persuade a user to open, preview, import, or otherwise process attacker-controlled content—or needs a foothold on the target machine through another route.
The important distinction is that “local” does not mean harmless in a Windows enterprise. Users routinely receive Office documents through email, Teams, SharePoint, OneDrive sync folders, browser downloads, line-of-business systems, and removable media. An adversary who already has limited code execution on a workstation could also use an Office parsing flaw as part of a chained attack.
Microsoft’s vector assigns no privileges required, low attack complexity, and required user interaction. That is a more concerning combination than a vulnerability requiring an authenticated Office account, administrative permissions, or a highly unusual configuration. The interaction requirement reduces exposure, but it leaves phishing, document-sharing workflows, and shared-file repositories squarely in scope for defenders.
The flaw is identified as CWE-125, or an out-of-bounds read. In broad terms, this class of bug occurs when software reads memory outside the buffer it was meant to access. The immediate security result can be information leakage, such as data from process memory. Microsoft has not said whether the CVSS integrity and availability ratings reflect an exploitable crash condition, a broader Office security boundary concern, or conservative scoring for possible follow-on effects. Administrators should avoid filling that gap with assumptions.
For Office 2016, Microsoft identifies version 16.0.5561.1000 as the fixed threshold. Microsoft’s July Office update catalog lists KB5002887 as the security update for the Office 2016 mso component, available in both 32-bit and 64-bit editions. That package is a concrete deployment target for organizations maintaining Office 2016 through Microsoft Update, Windows Server Update Services, or the Microsoft Update Catalog.
For the Click-to-Run products—Microsoft 365 Apps, Office 2019, and the LTSC releases—the advisory points administrators to Microsoft’s Office security release information rather than a universal KB number. That is normal for Office servicing: the required fix arrives through the update channel and build appropriate to each installed product.
Mac administrators have a more explicit version boundary. Microsoft lists Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 as affected below version 16.111.26071215. Enterprises that manage Office for Mac separately from Windows endpoints should verify that the July 2026 update has reached their managed fleet rather than assuming Windows patch compliance covers the issue.
July 2026 is also a particularly awkward moment to leave Office update management unattended. Microsoft has begun unifying the Semi-Annual Enterprise Channel and Monthly Enterprise Channel around the Version 2606 release, with devices on the old semi-annual channel receiving the same feature and security updates as Monthly Enterprise Channel devices. That change does not alter the need to deploy CVE-2026-50665’s fix, but it can complicate change-control expectations for teams that historically treated semi-annual Office servicing as a slower-moving track.
A sensible response is straightforward:
The next meaningful milestone is not additional public technical detail; it is evidence that every supported Office servicing path has received the July 14 update. Until then, an ordinary-looking Office document remains the most plausible place for this vulnerability to become an operational problem.
Microsoft’s Security Update Guide categorizes the issue as a Microsoft Office Information Disclosure Vulnerability. The National Vulnerability Database, using data submitted by Microsoft, describes the underlying flaw more precisely: an out-of-bounds read in Microsoft Office that allows an unauthorized attacker to disclose information locally. Microsoft assigned a CVSS 3.1 base score of 7.8, rated High by the scoring system, with the vector
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.That combination deserves attention because the public title is narrower than the severity vector. “Information disclosure” describes the stated vulnerability impact, but the score’s high confidentiality, integrity, and availability components indicate Microsoft believes successful exploitation could have consequences beyond merely reading a benign document property or exposing a small amount of memory.
Microsoft has not publicly described the vulnerable Office component, the crafted content required, or the nature of the information that could be exposed. There is also no public indication that CVE-2026-50665 has been exploited in the wild or publicly disclosed before the patch release. That lack of technical detail is helpful in the short term, but it should not be mistaken for a reason to defer updates: patch diffing and security research commonly follow a Patch Tuesday disclosure.
A locally triggered Office flaw still has a familiar delivery path
The CVSS vector matters. CVE-2026-50665 is not described as remotely exploitable without interaction; the vector assigns a local attack path and requires user interaction. In practical Office terms, that often means an attacker needs to persuade a user to open, preview, import, or otherwise process attacker-controlled content—or needs a foothold on the target machine through another route.The important distinction is that “local” does not mean harmless in a Windows enterprise. Users routinely receive Office documents through email, Teams, SharePoint, OneDrive sync folders, browser downloads, line-of-business systems, and removable media. An adversary who already has limited code execution on a workstation could also use an Office parsing flaw as part of a chained attack.
Microsoft’s vector assigns no privileges required, low attack complexity, and required user interaction. That is a more concerning combination than a vulnerability requiring an authenticated Office account, administrative permissions, or a highly unusual configuration. The interaction requirement reduces exposure, but it leaves phishing, document-sharing workflows, and shared-file repositories squarely in scope for defenders.
The flaw is identified as CWE-125, or an out-of-bounds read. In broad terms, this class of bug occurs when software reads memory outside the buffer it was meant to access. The immediate security result can be information leakage, such as data from process memory. Microsoft has not said whether the CVSS integrity and availability ratings reflect an exploitable crash condition, a broader Office security boundary concern, or conservative scoring for possible follow-on effects. Administrators should avoid filling that gap with assumptions.
The affected Office estate is wider than a single perpetual release
According to Microsoft’s CVE data as reflected by the NVD record, the affected products include Microsoft 365 Apps for enterprise on 32-bit and x64 Windows systems; Office 2016; Office 2019; Office LTSC 2021; Office LTSC 2024; Office 365 for Mac; and Office LTSC for Mac 2021 and 2024.For Office 2016, Microsoft identifies version 16.0.5561.1000 as the fixed threshold. Microsoft’s July Office update catalog lists KB5002887 as the security update for the Office 2016 mso component, available in both 32-bit and 64-bit editions. That package is a concrete deployment target for organizations maintaining Office 2016 through Microsoft Update, Windows Server Update Services, or the Microsoft Update Catalog.
For the Click-to-Run products—Microsoft 365 Apps, Office 2019, and the LTSC releases—the advisory points administrators to Microsoft’s Office security release information rather than a universal KB number. That is normal for Office servicing: the required fix arrives through the update channel and build appropriate to each installed product.
Mac administrators have a more explicit version boundary. Microsoft lists Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 as affected below version 16.111.26071215. Enterprises that manage Office for Mac separately from Windows endpoints should verify that the July 2026 update has reached their managed fleet rather than assuming Windows patch compliance covers the issue.
Patch verification matters more than a single CVE search
For Microsoft 365 Apps, the immediate task is to ensure managed endpoints can obtain their channel’s July security release and have not been held at an older build by update policies, disconnected VPN-only workflows, or failed Click-to-Run servicing. Microsoft’s documentation notes that security updates for its primary Microsoft 365 Apps channels are released monthly, normally on the second Tuesday.July 2026 is also a particularly awkward moment to leave Office update management unattended. Microsoft has begun unifying the Semi-Annual Enterprise Channel and Monthly Enterprise Channel around the Version 2606 release, with devices on the old semi-annual channel receiving the same feature and security updates as Monthly Enterprise Channel devices. That change does not alter the need to deploy CVE-2026-50665’s fix, but it can complicate change-control expectations for teams that historically treated semi-annual Office servicing as a slower-moving track.
A sensible response is straightforward:
- Update Microsoft 365 Apps and Office LTSC devices to the current supported July 2026 security build for their configured channel.
- Deploy KB5002887 to applicable Office 2016 installations after normal pilot validation.
- Confirm that Office 2019, Office LTSC 2021, and Office LTSC 2024 Click-to-Run installations have completed their July servicing cycle.
- Update Office for Mac to version 16.111.26071215 or later where those editions are in use.
- Use endpoint inventory to find unmanaged, offline, or update-disabled Office installations before considering the exposure closed.
A High score in a noisy Patch Tuesday still warrants its own ticket
July’s Microsoft security release is unusually large, and CVE-2026-50665 sits among many Office vulnerabilities, including several remote-code-execution issues. That context will understandably push some organizations toward triage based on active exploitation and remote attackability first. But the Office fleet is so broad, and the user-interaction condition aligns so closely with normal document workflows, that this is not a CVE to leave buried in a monthly rollup.The next meaningful milestone is not additional public technical detail; it is evidence that every supported Office servicing path has received the July 14 update. Until then, an ordinary-looking Office document remains the most plausible place for this vulnerability to become an operational problem.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
July 2026 updates for Microsoft Office | Microsoft Support
July 2026 updates for Microsoft Officesupport.microsoft.com