CVE-2026-55018: Patch Critical Office RCE with KB5002887

Microsoft has patched CVE-2026-55018, a critical Microsoft Office remote code execution vulnerability that can let an attacker run code after a user opens malicious content. The July 14, 2026 security release covers Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021 and 2024, plus supported Office editions on macOS.
Detailed in Microsoft’s Security Update Guide, the flaw is a use-after-free memory-safety bug tracked as CWE-416. Microsoft assigned it a CVSS 3.1 score of 7.8, while classifying its maximum severity as Critical—a reminder that the numerical score and Microsoft’s product-specific severity rating measure risk from different angles.
There is currently no indication that CVE-2026-55018 was publicly disclosed or exploited before the patch arrived. CISA’s initial assessment recorded no known exploitation, although successful exploitation would have a total technical impact on the compromised application context.

Cybersecurity dashboard showing a critical vulnerability blocked, software update, and enterprise patch deployment.The Attack Still Needs a User to Open the Door​

Despite the “remote code execution” name, CVE-2026-55018 is not a network worm capable of silently reaching an exposed Windows PC. Microsoft’s CVSS vector specifies local attack access, low attack complexity, no privileges required and required user interaction.
The likely danger is therefore a malicious Office file delivered through email, messaging, cloud storage or a download. An attacker must persuade the target to open or otherwise process the content in an affected Office installation, at which point the use-after-free condition could be triggered.
A use-after-free occurs when software continues to reference memory after that memory has been released. Carefully controlling what replaces the freed data can turn an ordinary application crash into code execution, potentially allowing an attacker’s instructions to run with the rights of the person using Office.
Microsoft scores the possible effects as high for confidentiality, integrity and availability. In practical terms, successful exploitation could expose accessible documents and credentials, modify data, install malware or disrupt the Office application and the user’s workstation.
The privileges of the signed-in user remain important. An employee operating without local administrator rights presents a smaller post-exploitation target than an administrator running Office under a privileged account, but a standard account can still expose email, synced OneDrive files, browser sessions and corporate data available to that identity.
Protected View, attachment filtering and endpoint security may complicate delivery, but they should not be treated as substitutes for the update. Microsoft has not published enough exploit-chain detail to justify relying on one document-handling control as a complete workaround.

Microsoft’s “Confirmed” Rating Removes One Kind of Uncertainty​

The report-confidence language accompanying the vulnerability concerns how firmly the flaw and its technical characteristics have been established. It does not measure how frequently attackers are using it, nor does it predict with certainty whether exploit code will appear.
For CVE-2026-55018, confidence is effectively at the confirmed end of that scale. Microsoft is the assigning CVE Numbering Authority, identified the weakness as a use-after-free, supplied the affected-product data and released official fixes. This is not an uncorroborated researcher claim awaiting vendor validation.
That distinction matters because a confirmed vulnerability gives defenders reliable information for asset matching and gives attackers a clearer starting point for patch analysis. Once updates are public, adversaries can compare patched and unpatched Office binaries—a process known as patch diffing—to locate the changed code and work backward toward a trigger.
The absence of known exploitation on July 14 does not therefore make the vulnerability low priority. It means administrators have a window in which to deploy the fix before weaponization is observed, rather than evidence that exploitation will remain impractical.
CVE-2026-55018 was also released amid an unusually large July 2026 Patch Tuesday. BleepingComputer counted 570 Microsoft vulnerabilities in the release, while Trend Micro’s Zero Day Initiative highlighted a substantial cluster of Critical-rated Office code-execution flaws. That volume creates a real prioritization problem, but Office document vulnerabilities retain a familiar and broadly usable delivery route.

The Affected Office Footprint Crosses Windows and Mac​

The published affected-product record includes both 32-bit and 64-bit Windows installations. Organizations should account for the following product families rather than checking only Microsoft 365 Apps:
  • Microsoft 365 Apps for enterprise installations need the applicable July 2026 Office security release for their servicing channel.
  • Microsoft Office 2016 is affected below version 16.0.5561.1000 on both 32-bit and 64-bit systems.
  • Microsoft Office 2019 for Windows is affected and must be brought to the applicable current security release.
  • Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on 32-bit and 64-bit Windows systems.
  • Microsoft 365 and Office 365 for Mac installations are affected below version 16.111.26071215.
  • Office LTSC for Mac 2021 and Office LTSC for Mac 2024 are affected below version 16.111.26071215.
For MSI-based Office 2016, Microsoft ties CVE-2026-55018 to KB5002887, the July 14 security update for the shared Office components. Microsoft says the update is available through Microsoft Update, the Microsoft Update Catalog and the Download Center, and it replaces KB5002878.
The KB5002887 package applies specifically to MSI-based Office 2016. Click-to-Run installations—including most Microsoft 365 deployments—receive fixes through the Office servicing system instead, so administrators should verify the installed update channel and build rather than searching for the MSI package on every endpoint.
On managed Microsoft 365 Apps estates, deployment timing may depend on whether devices use Current Channel, Monthly Enterprise Channel or a semiannual channel. Security teams should confirm that update policies have not left a pilot ring, virtual desktop pool or rarely connected laptop on a pre-July build.
Mac administrators have a cleaner published threshold: version 16.111.26071215. Inventory systems should still distinguish Microsoft 365 for Mac from perpetual Office LTSC installations, even though the listed fixed build is the same.

Patch Verification Matters More Than a Successful Deployment Job​

A management console reporting “installed” does not necessarily prove that every Office application has loaded the corrected binaries. Devices may be offline, Office processes may remain open, Click-to-Run updates may be staged but unapplied, or users may have disabled updates on unmanaged installations.
Administrators should validate the resulting Office version after deployment and investigate machines that remain below the applicable fixed release. For Office 2016 MSI systems, confirming KB5002887 and an updated Office build provides a concrete checkpoint. Microsoft 365 Apps and Office LTSC Click-to-Run environments should be compared against Microsoft’s July 2026 Office security release table for their channel.
Security teams can reduce exposure during rollout by tightening controls around Office attachments and internet-sourced documents. Mail gateways should continue blocking executable or unusual container formats, and users should be discouraged from bypassing Protected View or security warnings for unexpected files.
Endpoints handling high-risk mailboxes deserve particular attention. Finance, human resources, legal teams, executive assistants and help-desk staff routinely receive documents from outside the organization, giving attackers a plausible pretext for delivering a weaponized file.
CVE-2026-55018 is not listed as an exploited zero-day, but its low attack complexity, lack of a privilege requirement and potential for complete compromise of Office data make delayed deployment difficult to defend. The immediate milestone for IT teams is straightforward: install the July 14 Office updates, verify the resulting build on both Windows and macOS, and watch for any Microsoft revision or evidence that malicious documents have begun targeting the flaw.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top