CVE-2026-50301 Office RCE: Update Office 2016 to 16.0.5561.1000

CVE-2026-50301 is a Microsoft Office heap-based buffer overflow that can let an attacker run code on a victim’s PC, but its CVSS vector is Local, not Network. The apparent contradiction comes from two different uses of “remote”: Microsoft’s vulnerability title describes the attacker-controlled code execution, while CVSS describes where the vulnerable Office component processes the exploit.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security release. The Microsoft Security Response Center rates it Important with a CVSS 3.1 base score of 7.8 and the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
The practical reading is straightforward: this is not an unauthenticated, network-facing Office service that an attacker can directly probe over the internet. A user must interact with attacker-supplied content, and Office must process that content on the local Windows machine before the buffer overflow can be triggered.

Cybersecurity illustration showing a heap buffer overflow corrupting data, with high-impact attack indicators.“Remote Code Execution” Describes the Result​

Microsoft explains in its Security Update Guide that “remote” in the title refers to the attacker’s location. The attacker does not need to be physically present at the affected computer and may deliver malicious content from elsewhere, but the vulnerable Office application ultimately opens or processes that content locally.
That makes remote code execution an impact description rather than a complete explanation of the attack path. If exploitation succeeds, code chosen by a remote attacker can execute in the context of the affected Office process and its user. The same outcome is also commonly described as arbitrary code execution, or ACE.
The CVE record identifies the underlying weakness as CWE-122, a heap-based buffer overflow. This class of bug occurs when software writes more data to a heap allocation than the allocated memory can safely contain, potentially corrupting adjacent data and altering program execution.
Microsoft has not publicly documented the malformed file format, affected Office component, or exact exploitation sequence. Administrators therefore should not assume the flaw is restricted to Word, Excel, PowerPoint, macros, or any particular document extension unless Microsoft adds that information later.

CVSS Measures the Exploit’s Immediate Path​

The AV:L field in the CVSS vector does not necessarily mean the attacker must possess an account on the computer. Under the CVSS 3.1 guidance maintained by the Forum of Incident Response and Security Teams, malicious content vulnerabilities may receive a Local attack vector when a user must download, receive, open, or otherwise process the content on the vulnerable system.
In other words, email, a website, cloud storage, a collaboration platform, or removable media might serve as the delivery route. Those channels bring the payload to the victim, but they are not necessarily the interface through which the vulnerable Office code is directly attacked.
The rest of CVE-2026-50301’s vector clarifies the scenario:
  • Attack complexity is Low, indicating Microsoft has not identified special conditions beyond the attacker’s control that must be overcome.
  • Privileges required is None, meaning the attacker does not first need an authenticated account or existing privileges on the target.
  • User interaction is Required, confirming that another person must take an action that contributes to exploitation.
  • Scope is Unchanged, so the vulnerable component and the security authority affected by exploitation remain within the same security boundary.
  • Confidentiality, integrity, and availability impacts are all High, reflecting the possibility of broad compromise after successful code execution.
This combination is typical of malicious-document vulnerabilities. The attacker can remain remote, send or publish crafted content, and rely on the victim to bring it into the Office processing path. The exploit itself is still considered local because Office executes and parses the payload on the endpoint rather than receiving the exploit through a remotely exposed network service.
That distinction separates CVE-2026-50301 from a classic network RCE such as a flaw in an internet-facing web server, Remote Desktop service, or DNS server. Those vulnerabilities normally receive AV:N because specially crafted traffic can directly reach the vulnerable component across a network.

User Interaction Lowers the Score, Not the Potential Impact​

The UI:R rating is important, but it should not be interpreted as proof that exploitation would be difficult or obvious to the user. It only records that user participation is necessary somewhere in the chain.
Microsoft has not stated what that interaction entails for CVE-2026-50301. It could involve opening a file, selecting downloaded content, or causing Office to process an object through another workflow. There is currently no public basis for claiming that the victim must enable macros, dismiss a Protected View warning, or approve active content.
The 7.8 score reflects the local attack vector and user-interaction requirement, while the three High impact ratings explain why Microsoft still classifies the issue as an Office remote code execution vulnerability. Once triggered, the flaw could potentially expose data, modify files, install software, or disrupt the affected system within the permissions available to the compromised Office process.
Least-privilege configuration still matters. A successful exploit running under a standard user generally starts with fewer rights than one executed by an administrator, although attackers may attempt to combine code execution with a separate elevation-of-privilege vulnerability.
Security controls that inspect attachments, restrict untrusted Office content, and block suspicious child processes can add defensive layers. They are not substitutes for the security update, particularly because Microsoft has not disclosed enough technical detail to build a narrowly targeted workaround.

Office 2016 Needs a Verifiable Build Check​

Microsoft lists Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 among the affected product families, covering both 32-bit and 64-bit deployments. The CVE record identifies Office 2016 versions earlier than 16.0.5561.1000 as affected.
For Microsoft 365 Apps and other Click-to-Run editions, the applicable fixed build depends on the servicing channel. Administrators should compare installed versions against Microsoft’s Office security release information rather than treating the Office 2016 build threshold as universal.
Microsoft’s July 2026 Office release includes separate updates for components such as Office 2016, Excel 2016, PowerPoint 2016, Word 2016 and Visual Basic for Applications. Enterprises using MSI-based Office 2016 should inventory the installed component updates instead of assuming that a Windows cumulative update patched Office automatically.
Managed Microsoft 365 Apps installations also deserve verification. Update policies, paused channels, disconnected devices and failed Click-to-Run servicing can leave endpoints behind even when the tenant is configured for automatic updates.
CVE-2026-50301 was not listed by Microsoft as publicly disclosed or exploited in the wild when released. CISA’s initial assessment likewise recorded no known exploitation, but assigned the vulnerability a potentially total technical impact. That makes it a routine patching priority rather than evidence of an active emergency campaign.
The key operational lesson is that AV:L does not make this a harmless “local-only” privilege bug. It means the malicious content must reach and be processed on the endpoint. For Office-heavy environments, email gateways and document controls may reduce exposure, but bringing every supported Office installation onto its July 14, 2026 security level is the control that closes the vulnerable code path.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: ncsc.gov.ie
  3. Related coverage: techradar.com
  4. Official source: support.microsoft.com
 

Back
Top