CVE-2026-56195: Install July Office Builds to Fix Memory Leak

Microsoft’s July 14 Office security releases address CVE-2026-56195, an out-of-bounds read flaw that can disclose information from memory after a user opens malicious content in an affected Office installation. The vulnerability carries a CVSS 3.1 score of 5.5, rated Medium, but it spans Microsoft 365 Apps, Office LTSC 2021 and 2024, Office 2019, Office 2016, and supported Mac equivalents—making prompt verification worthwhile even without evidence of active exploitation.
Microsoft published the advisory on July 14, 2026. The National Vulnerability Database’s initial record, sourced from Microsoft, identifies the underlying weakness as CWE-125: an out-of-bounds read. It also says exploitation is local, requires user interaction, needs no attacker privileges, and can expose information while leaving integrity and availability unaffected.
For Windows administrators, the immediate takeaway is straightforward: make sure Office clients have received the July 2026 security build or later, and do not confuse this with a Windows cumulative update. This is an Office servicing issue, delivered through Click-to-Run update channels for Microsoft 365 Apps and through the relevant Office update packages for perpetual installations.

Cybersecurity dashboard showing July 2026 patch deployment, 85% deployed across devices worldwide.A malicious file is still the delivery mechanism​

CVE-2026-56195 is not a network worm and does not grant an attacker automatic remote code execution. The published CVSS vector indicates an attacker must persuade a user to interact with specially crafted content locally—most plausibly an Office document or file handled by an affected application component.
That distinction matters, but it should not become a reason to defer patching. Office documents remain one of the most familiar delivery formats in phishing, invoice fraud, shared-file lures, and targeted social-engineering campaigns. An information disclosure vulnerability can reveal memory contents that may be useful on their own, or may help an attacker make a subsequent exploit chain more reliable.
Microsoft and NVD describe the impact as high confidentiality loss, not a broad system compromise. In practical terms, the disclosed data could depend on what Office had in memory at the time of exploitation; neither Microsoft’s public advisory nor the NVD record currently identifies a precise application, document type, memory target, proof of concept, or exploitation technique. That limited public detail is important: organizations should avoid filling the gaps with assumptions about stolen files, credentials, or remote access.
The technical description is nevertheless specific enough to establish the vulnerability’s existence. Microsoft’s assigned CVSS vector identifies low attack complexity, no required privileges, required user interaction, and high confidentiality impact. NVD has not yet completed its independent enrichment or issued a CVSS 4.0 assessment.

CISA’s early triage says no exploitation is known​

The NVD record includes a CISA SSVC assessment, a decision-oriented vulnerability triage framework used to help defenders judge response urgency. Its initial values are reassuring but not dismissive: exploitation is listed as “none,” the flaw is “not automatable,” and the technical impact is “partial.”
Those classifications mean there is currently no known in-the-wild exploitation reflected in the record, and the issue is not believed to be something attackers can mass-exploit without a user-driven interaction. “Partial” technical impact aligns with the information disclosure outcome rather than code execution or broad privilege escalation.
This is a useful prioritization signal for stretched IT teams. CVE-2026-56195 should not leapfrog confirmed zero-days, internet-exposed server vulnerabilities, or actively exploited identity flaws. But it belongs in the normal July patch deployment window, particularly for users who routinely open externally supplied Office files or work with confidential documents.
The absence of a public exploit is a snapshot, not a permanent mitigation. Microsoft’s advisory has only been public since July 14, and attackers often examine vendor fixes after Patch Tuesday to understand what changed. The lack of a published proof of concept reduces urgency relative to a zero-day, but it does not remove the value of getting ahead of reverse engineering.

The affected product list reaches beyond one Office generation​

According to the Microsoft-supplied data in NVD, the affected Windows products include Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024, in both 32-bit and 64-bit configurations where applicable. On macOS, Microsoft lists Microsoft 365 for Mac and Office LTSC for Mac 2021 and 2024.
For Office 2016, the stated fixed threshold is version 16.0.5561.1000. For the Mac products, the fixed threshold is version 16.111.26071215. Microsoft 365 Apps, Office 2019, and the LTSC releases use Microsoft’s Office security release servicing mechanism rather than a single universal version number in the CVE record.
Microsoft’s Office security release notes identify the relevant July 14 builds for Click-to-Run and perpetual retail or volume-licensed editions. Among them are:
  • Current Channel Version 2606, Build 20131.20154.
  • Monthly Enterprise Channel Version 2606, Build 20131.20152.
  • Semi-Annual Enterprise Channel Version 2508, Build 19127.20730.
  • Office LTSC 2024 Volume Licensed Version 2408, Build 17932.20884.
  • Office LTSC 2021 Volume Licensed Version 2108, Build 14334.20806.
  • Office 2019 Volume Licensed Version 1808, Build 10417.20176.
Microsoft’s July Office release notes explicitly include CVE-2026-56195 under the Office suite fixes. That is the cleanest validation target for administrators: compare deployed builds against the July 14 release or simply ensure the assigned servicing channel has completed its latest update.
There is one support wrinkle worth noting. Microsoft says support for Office 2019 ended on October 14, 2025, although it reserves discretion to issue one or more subsequent updates. The July 2026 security release notes do in fact list an Office 2019 Volume Licensed build. Environments still relying on Office 2019 should treat this patch as helpful, not as a restoration of a normal supported lifecycle; migration planning remains necessary.

Deployment teams should verify the channel, not just the product name​

Click-to-Run Office does not map cleanly to the old “Office 2016” or “Office 2019” labels displayed by some inventory tools. Microsoft 365 Apps, Office LTSC editions, and retail perpetual versions can all report the Office 16.x codebase while receiving servicing through different channels and build branches. Asset inventories that stop at a product-family label can therefore create false confidence.
For Microsoft 365 Apps, Monthly Enterprise Channel releases security updates on the second Tuesday of the month and makes them cumulative. Semi-Annual Enterprise Channel also receives security updates on that schedule. Microsoft’s guidance is especially relevant this month because Semi-Annual Enterprise Channel began receiving monthly feature and security updates in July 2026, changing the operational rhythm for organizations that selected it for stability.
Administrators should verify a representative sample of endpoints through an Office app’s Account page, Intune or Configuration Manager inventory, Microsoft 365 Apps admin reporting, or their endpoint management platform. The target should be an installed build at or beyond the relevant July 14 security release—not merely a successful Windows Update scan.
For Office 2016 MSI deployments, Microsoft’s July update catalog includes separate packages for different shared Office components and applications. Those packages are not interchangeable with Click-to-Run servicing. Organizations with mixed estates should identify MSI-based Office 2016 separately before declaring remediation complete.

Sensible urgency, not incident-mode panic​

CVE-2026-56195 is a real, vendor-confirmed Office memory-safety flaw with a broad product footprint. Yet its published characteristics place it below the threshold for emergency incident response in most environments: it is Medium severity, depends on user interaction, lacks known exploitation, is not assessed as automatable, and is limited to information disclosure.
The appropriate response is to deploy the July 14 Office security update through established rings, accelerate rollout for high-risk users who process external documents, and confirm that security tooling continues to inspect inbound attachments. Users should still be reminded not to open unexpected documents, but training is a supplement to patching rather than a substitute for it.
The next meaningful change will be whether Microsoft expands its advisory with exploit details, mitigation guidance, or evidence of active attacks—or whether NVD’s enrichment changes the risk picture. Until then, the concrete milestone is simpler: Office clients should be on the July 2026 security build before attackers have a reason to turn a Medium-severity disclosure bug into a more useful foothold.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
  4. Related coverage: windowscentral.com
 

Back
Top