CVE-2026-50314 is a critical Microsoft Office use-after-free vulnerability that can let an attacker’s code run on a victim’s computer, even though its CVSS attack vector is marked Local rather than Network. The apparent contradiction comes from two different uses of location: remote code execution describes who supplied the code, while
Microsoft published CVE-2026-50314 on July 14, 2026, as part of its monthly security release. Detailed in Microsoft’s Security Update Guide, the flaw carries a CVSS 3.1 base score of 7.8 and is classified as a Microsoft Office Remote Code Execution Vulnerability.
The underlying weakness is a use-after-free memory-management error, tracked as CWE-416. An unauthorized attacker can prepare malicious content that triggers the defect when Office processes it, potentially gaining the ability to execute arbitrary code in the security context of the affected user.
In everyday IT language, remote code execution often evokes an unauthenticated attacker sending packets directly to an exposed server. That is one form of RCE, but it is not the only one.
For CVE-2026-50314, the attacker can be somewhere else and deliver a malicious Office document through email, a download, a collaboration platform, cloud storage, or another distribution channel. The attacker does not need to sit at the target PC, but the malicious file must ultimately be processed by Office on that PC.
Microsoft explicitly explains this distinction in its advisory. The word “Remote” in the vulnerability title refers to the attacker’s location; the exploit itself is carried out locally after content reaches the target system. Microsoft notes that this class of issue is also sometimes described as arbitrary code execution, or ACE.
That makes both descriptions technically consistent:
An exposed web service, RPC endpoint, mail server, or listening TCP service might qualify for
Office document vulnerabilities frequently work differently. Email or cloud storage may transport the malicious file, but those services are only the delivery mechanism. The actual vulnerability is triggered later, when Microsoft Office running on the endpoint parses or renders the file.
That separation is why a document arriving from the internet does not automatically make the CVSS vector
The same distinction applies to files copied from a USB drive, placed on a shared folder, downloaded through a browser, or synchronized by OneDrive. The origin and delivery route can vary without changing the technical point at which exploitation happens.
CVSS also evaluates other conditions separately. CVE-2026-50314 has a 7.8 base score because successful exploitation can have a high impact on confidentiality, integrity, and availability, despite requiring local processing and user interaction. The flaw’s Critical Microsoft severity rating therefore does not depend on it behaving like an internet-facing, no-click server vulnerability.
A plausible attack chain begins with an attacker creating a specially crafted Office file. The file is delivered to a user, after which Office processes the malicious content and the use-after-free condition corrupts memory in a way that permits code execution.
Action1’s analysis of the July 2026 updates reports that Microsoft identifies the Preview Pane as an attack vector for CVE-2026-50314. That raises the practical concern beyond a straightforward “open this attachment” scenario because certain preview workflows may cause Office-related components to inspect content before the user fully opens the document.
Successful exploitation would run code with the privileges of the affected user. A standard account can limit the immediate blast radius, while an administrator-level session can give the attacker substantially more control. Even with standard-user privileges, code execution may expose documents, browser data, authentication material, mapped drives, cloud-synchronized files, and other resources available to that user.
This is why RCE remains the useful impact label. The result is not merely an Office crash or disclosure of a small amount of memory. The security boundary crossed is the ability for an external attacker’s chosen code to execute on the endpoint.
Microsoft’s July release moves Office 2016 to build 16.0.5561.1000 through security update KB5002887. Listed fixed levels also include Office 2019 build 16.0.10417.20176, Office LTSC 2021 build 16.0.14334.20806, and Office LTSC 2024 build 16.0.17932.20884.
Microsoft 365 Apps build requirements vary by servicing channel. Current Channel systems require build 16.0.20131.20154, while listed Monthly Enterprise and Semi-Annual Enterprise configurations have their own fixed builds. Mac installations are addressed at Office version 16.111.26071215.
Administrators should verify installed Office versions rather than assuming Windows Update alone completed the work. Click-to-Run installations follow Microsoft 365 servicing channels, while volume-licensed Office editions may depend on separate deployment and update-management processes.
Until patch coverage is confirmed, organizations should treat unexpected Office files as executable-risk content rather than ordinary documents. Mail filtering, Microsoft Defender protections, attachment sandboxing, Mark of the Web enforcement, Protected View, and least-privilege user accounts can reduce exposure, but they do not replace the vendor update.
CVE-2026-50314 is therefore not mislabeled.
AV:L describes where the vulnerable component must process the attack.Microsoft published CVE-2026-50314 on July 14, 2026, as part of its monthly security release. Detailed in Microsoft’s Security Update Guide, the flaw carries a CVSS 3.1 base score of 7.8 and is classified as a Microsoft Office Remote Code Execution Vulnerability.
The underlying weakness is a use-after-free memory-management error, tracked as CWE-416. An unauthorized attacker can prepare malicious content that triggers the defect when Office processes it, potentially gaining the ability to execute arbitrary code in the security context of the affected user.
“Remote” Does Not Always Mean a Network Service
In everyday IT language, remote code execution often evokes an unauthenticated attacker sending packets directly to an exposed server. That is one form of RCE, but it is not the only one.For CVE-2026-50314, the attacker can be somewhere else and deliver a malicious Office document through email, a download, a collaboration platform, cloud storage, or another distribution channel. The attacker does not need to sit at the target PC, but the malicious file must ultimately be processed by Office on that PC.
Microsoft explicitly explains this distinction in its advisory. The word “Remote” in the vulnerability title refers to the attacker’s location; the exploit itself is carried out locally after content reaches the target system. Microsoft notes that this class of issue is also sometimes described as arbitrary code execution, or ACE.
That makes both descriptions technically consistent:
- The vulnerability is RCE because attacker-controlled code can execute on another person’s machine.
- The CVSS attack vector is Local because exploitation occurs through local processing rather than a remotely reachable network interface.
- The victim or another local mechanism must cause Office to process the malicious content.
AV:L does not necessarily mean an attacker already needs an interactive account, Remote Desktop session, or physical access to the computer. It means the vulnerable behavior is reached locally.CVSS Measures the Exploit Path, Not the Delivery Route
The CVSSAttack Vector metric describes how close an attacker must be to the vulnerable component at the moment exploitation occurs. AV:N, or Network, is normally used when an attacker can trigger the vulnerability by communicating with the affected application across a network boundary.An exposed web service, RPC endpoint, mail server, or listening TCP service might qualify for
AV:N. The vulnerable software receives the attack directly through a network-accessible interface.Office document vulnerabilities frequently work differently. Email or cloud storage may transport the malicious file, but those services are only the delivery mechanism. The actual vulnerability is triggered later, when Microsoft Office running on the endpoint parses or renders the file.
That separation is why a document arriving from the internet does not automatically make the CVSS vector
AV:N. From Office’s perspective, it is processing a local file or local content object. The network helped the attacker get the payload onto the machine, but it did not directly invoke the vulnerable Office code path.The same distinction applies to files copied from a USB drive, placed on a shared folder, downloaded through a browser, or synchronized by OneDrive. The origin and delivery route can vary without changing the technical point at which exploitation happens.
CVSS also evaluates other conditions separately. CVE-2026-50314 has a 7.8 base score because successful exploitation can have a high impact on confidentiality, integrity, and availability, despite requiring local processing and user interaction. The flaw’s Critical Microsoft severity rating therefore does not depend on it behaving like an internet-facing, no-click server vulnerability.
A Malicious Document Still Creates a Remote Threat
The Local rating can make an Office flaw look less urgent than it is. In practice, attackers routinely use documents, archives, links, disk images, and other files to bridge the gap between remote delivery and local execution.A plausible attack chain begins with an attacker creating a specially crafted Office file. The file is delivered to a user, after which Office processes the malicious content and the use-after-free condition corrupts memory in a way that permits code execution.
Action1’s analysis of the July 2026 updates reports that Microsoft identifies the Preview Pane as an attack vector for CVE-2026-50314. That raises the practical concern beyond a straightforward “open this attachment” scenario because certain preview workflows may cause Office-related components to inspect content before the user fully opens the document.
Successful exploitation would run code with the privileges of the affected user. A standard account can limit the immediate blast radius, while an administrator-level session can give the attacker substantially more control. Even with standard-user privileges, code execution may expose documents, browser data, authentication material, mapped drives, cloud-synchronized files, and other resources available to that user.
This is why RCE remains the useful impact label. The result is not merely an Office crash or disclosure of a small amount of memory. The security boundary crossed is the ability for an external attacker’s chosen code to execute on the endpoint.
Office Builds Need the July Security Updates
The affected product range includes Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft 365 for Mac, and the corresponding Office LTSC editions for Mac. Both 32-bit and 64-bit Windows installations are covered where applicable.Microsoft’s July release moves Office 2016 to build 16.0.5561.1000 through security update KB5002887. Listed fixed levels also include Office 2019 build 16.0.10417.20176, Office LTSC 2021 build 16.0.14334.20806, and Office LTSC 2024 build 16.0.17932.20884.
Microsoft 365 Apps build requirements vary by servicing channel. Current Channel systems require build 16.0.20131.20154, while listed Monthly Enterprise and Semi-Annual Enterprise configurations have their own fixed builds. Mac installations are addressed at Office version 16.111.26071215.
Administrators should verify installed Office versions rather than assuming Windows Update alone completed the work. Click-to-Run installations follow Microsoft 365 servicing channels, while volume-licensed Office editions may depend on separate deployment and update-management processes.
Until patch coverage is confirmed, organizations should treat unexpected Office files as executable-risk content rather than ordinary documents. Mail filtering, Microsoft Defender protections, attachment sandboxing, Mark of the Web enforcement, Protected View, and least-privilege user accounts can reduce exposure, but they do not replace the vendor update.
CVE-2026-50314 is therefore not mislabeled.
AV:L says Office must encounter and process the exploit on the endpoint; Remote Code Execution says the code can originate with an attacker who is nowhere near that endpoint. For Windows administrators, the distinction matters for understanding the attack chain—but not for deciding whether the July 14 Office fixes belong in the deployment queue.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com