CVE-2026-55022: Patch Critical Office RCE in July 14 Updates

Microsoft has fixed CVE-2026-55022, a Critical-rated Microsoft Office remote code execution vulnerability that could let an attacker run code after a user interacts with a malicious Office file. Released on July 14 as part of Microsoft’s July 2026 security updates, the flaw affects Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and supported Office editions for macOS.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55022 carries a CVSS 3.1 score of 7.8. Microsoft describes the underlying weakness as type confusion, where Office accesses a resource using an incompatible data type and can consequently enter an unsafe memory state.
Administrators should prioritize Office updates even though Microsoft’s metrics indicate that exploitation requires user interaction and was not known to be occurring when the advisory was published. The absence of detected attacks is useful context, but it does not reduce the potential impact: successful exploitation could compromise confidentiality, integrity, and availability under the affected user’s security context.

Cybersecurity illustration showing a laptop defending a document from malware and data breaches across connected devices.“Remote” Delivery Still Requires a Local Trigger​

The CVSS vector for CVE-2026-55022 is local rather than network-based, which can appear inconsistent with Microsoft’s “remote code execution” title. In Office advisories, however, remote commonly describes how the attacker can deliver the malicious content rather than a service that can be attacked directly across the network.
An attacker would need to prepare malicious content and persuade a target to interact with it. Microsoft’s CVSS assessment specifies low attack complexity, no privileges required and user interaction required, indicating that the attacker does not need an existing account on the machine but cannot silently exploit an exposed Office network service.
Once triggered, the flaw could allow code execution with the permissions of the person running Office. A standard user account would limit some post-exploitation actions, while a user operating with elevated rights could expose the system to a more extensive compromise.
That distinction matters for enterprise risk calculations. CVE-2026-55022 is not an unauthenticated wormable vulnerability, but Office documents remain an effective initial-access mechanism because invoices, résumés, project files and internal reports routinely cross trust boundaries through email, Teams, SharePoint, OneDrive and third-party collaboration platforms.

Type Confusion Turns Document Processing Into Code Execution​

Microsoft maps the vulnerability to CWE-843, Access of Resource Using Incompatible Type, commonly called type confusion. This class of memory-safety error occurs when an application treats an object or resource as though it has a different structure than it actually does.
The resulting memory access can cause a crash, but carefully controlled data may permit more serious outcomes. In CVE-2026-55022, Microsoft concluded that the condition could be used for arbitrary code execution rather than merely denial of service.
Microsoft has not publicly documented the exact Office parser, file format or application component involved. That limits defenders’ ability to create narrowly targeted detection rules based solely on the advisory. It also means administrators should avoid assuming that blocking macros is sufficient, since the published weakness is a memory-handling error rather than a macro-policy bypass.
The CVSS vector reports high potential impact to confidentiality, integrity and availability. In practical terms, code running as the victim could read accessible documents, alter or encrypt files, access browser or application data available to that account, and launch additional malware. Attackers could then attempt credential theft or privilege escalation using separate techniques.
Microsoft’s temporal vector lists exploit-code maturity as unproven and remediation as official, with the report confidence marked confirmed. That last metric is the important one behind the advisory language supplied with the disclosure: Microsoft is confirming that the vulnerability exists and that the technical classification is sufficiently established, not merely recording an unverified report.

The Affected Office Footprint Spans Windows and Mac​

The CVE record identifies both 32-bit and 64-bit Windows installations across several Office servicing models. Organizations should account for Click-to-Run installations, perpetual-volume-license deployments and macOS systems rather than limiting remediation to Windows Update rings.
Affected products include:
  • Microsoft 365 Apps for enterprise installations on 32-bit and 64-bit Windows require the applicable Office security release for their update channel.
  • Microsoft Office 2016 installations earlier than version 16.0.5561.1000 are listed as affected.
  • Microsoft Office 2019, Office LTSC 2021 and Office LTSC 2024 are included in Microsoft’s affected-product data.
  • Microsoft 365 for Mac, Office LTSC for Mac 2021 and Office LTSC for Mac 2024 installations earlier than version 16.111.26071215 are listed as affected.
The broad product range makes inventory accuracy more important than searching for one universal Windows KB number. Microsoft 365 Apps receives fixes through its servicing channels, while MSI-based or volume-licensed Office installations may use individual security packages and enterprise update infrastructure.
For managed Microsoft 365 Apps estates, administrators should verify that devices have checked in and reached a patched build appropriate to the configured channel. A successful Windows cumulative update does not necessarily prove that Office Click-to-Run has also updated.
Mac systems deserve the same verification. Microsoft’s affected-version data provides a clear threshold—16.111.26071215—so administrators can query application inventories rather than relying on users to report that AutoUpdate completed.

Patch Office, Then Prove the Patch Landed​

The immediate action is to deploy Microsoft’s July 14, 2026 Office security updates and confirm installed versions afterward. Zero Day Initiative’s July update review characterized the month’s numerous Office code-execution fixes as individually less notable than their collective exposure, with the practical recommendation to patch Office and reboot.
For enterprise IT, that should translate into a short validation cycle rather than blind approval:
  • Identify unsupported, unmanaged or rarely connected Office installations that may not receive normal deployment policies.
  • Confirm the installed Office architecture, servicing channel and build instead of inferring compliance from the Windows operating-system patch level.
  • Prioritize users who regularly handle external documents, including finance, recruiting, legal, sales and support teams.
  • Retain email filtering, attachment detonation and endpoint detection controls because patched Office does not eliminate every malicious-document technique.
  • Investigate unexpected Office child processes, script interpreters or payload downloads, particularly where the parent application handled an externally sourced file.
Organizations unable to patch immediately should reduce exposure to untrusted Office content and process suspicious documents in isolated environments. The published Microsoft and CVE records do not identify a dedicated workaround that should be treated as equivalent to installing the update.
CVE-2026-55022 was not one of the July vulnerabilities reported as publicly disclosed or exploited in the wild at release time. That gives administrators room for controlled testing, but not a reason to defer the update indefinitely: the flaw is confirmed, Microsoft rates it Critical, and the technical record gives attackers a clear starting point—Office document handling, type confusion and user-triggered code execution.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: techradar.com
 

Back
Top