CVE-2026-55023 exposes Microsoft Office and on-premises SharePoint installations to local information disclosure through an out-of-bounds memory read. Microsoft published the vulnerability on July 14, 2026, with fixes covering Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC 2021 and 2024, Office for Mac, and supported SharePoint Server editions.
Detailed in the Microsoft Security Response Center’s July security release, the flaw carries a CVSS 3.1 score of 5.5, placing it in the Medium severity range. Microsoft describes the underlying weakness as CWE-125, or an out-of-bounds read, which can allow software to return data from memory beyond the buffer it was supposed to access.
The National Vulnerability Database says an unauthorized attacker could exploit the issue to disclose information locally. That wording matters: CVE-2026-55023 is not classified as remote code execution, and Microsoft’s scoring does not indicate that it can be triggered automatically across a network.
Microsoft’s CVSS vector is
The likely risk boundary is therefore a malicious or specially constructed Office file, document content, or other input processed by an affected Office component. Microsoft’s public description does not yet provide a detailed exploitation sequence, so administrators should avoid assuming a particular application, attachment type, or preview mechanism is required.
The confidentiality rating is High, while integrity and availability impacts are rated None. A successful exploit is intended to retrieve information rather than alter files, install malware, crash a server, or take control of the affected application.
That distinction keeps the numerical severity at 5.5, but it does not make the vulnerability irrelevant. Memory disclosure bugs can reveal document data, process memory, credentials, tokens, pointers, or other values that were never intended to be included in an application’s output. Microsoft has not publicly specified which information CVE-2026-55023 can expose, so those possibilities should be treated as general risk examples rather than confirmed outcomes for this flaw.
The attack also is not considered automatable under the initial CISA Stakeholder-Specific Vulnerability Categorization assessment. As of July 14, CISA recorded no known exploitation and classified the technical impact as partial.
That is favorable compared with an Office zero-day already circulating in phishing campaigns. It still leaves a familiar enterprise security problem: users routinely open documents received through email, Teams, SharePoint, OneDrive, ticketing systems, and customer portals, giving attackers many opportunities to satisfy a user-interaction requirement.
Microsoft’s affected-product data lists the following fixed thresholds for server and perpetual products:
Administrators should verify the build installed on each update channel instead of checking only whether an Office update ran successfully. Devices held on deferred channels, disconnected endpoints, pooled virtual desktops, and systems excluded from normal deployment rings are the most obvious places for vulnerable builds to remain.
SharePoint expands the operational impact beyond user workstations. Even though the vulnerability’s CVSS vector is local and requires user interaction, the inclusion of SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition means organizations also need to account for centrally hosted document-processing components.
Microsoft’s July Office update catalog provides KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Separate July packages are available for SharePoint language packs and Office Online Server, while Office 2016 received updates across Excel, Word, PowerPoint, MSO, charting, graphing, and Visual Basic for Applications components.
The stronger case for prompt deployment comes from its breadth and its High confidentiality impact. The affected list spans subscription Office, perpetual Office, macOS clients, and three generations of SharePoint Server. A partially updated environment could close the desktop path while leaving a SharePoint farm, Mac fleet, or deferred Microsoft 365 channel exposed.
For managed Windows estates, the immediate action is to approve the July 14 Office security updates, then use Microsoft Configuration Manager, Intune, inventory scripts, or another endpoint-management platform to confirm installed Office builds. Merely checking Windows cumulative-update compliance will not establish that Click-to-Run Office or MSI-based Office components have received their separate fixes.
SharePoint administrators should follow their normal farm-patching procedure, including updating every server that hosts affected binaries and completing any required SharePoint configuration steps. Language packs should be included where installed rather than treated as optional cleanup.
Email and document controls remain useful while deployment completes, but they are not substitutes for patching. Blocking unsolicited Office attachments, using Protected View, retaining Mark of the Web, scanning files with Microsoft Defender for Office 365, and limiting downloads from untrusted SharePoint or OneDrive locations can reduce opportunities for user-assisted exploitation. None of those controls proves that an out-of-bounds read cannot be reached through another supported document workflow.
Microsoft has confirmed CVE-2026-55023 and issued an official fix, but it has not published enough technical detail to identify the exact data an attacker could recover or the specific Office parsing path involved. Until that changes, administrators should treat the July 14 updates as the reliable boundary: patch every affected Office channel and SharePoint farm, verify the resulting build numbers, and watch MSRC for any revision to the exploitation status.
Detailed in the Microsoft Security Response Center’s July security release, the flaw carries a CVSS 3.1 score of 5.5, placing it in the Medium severity range. Microsoft describes the underlying weakness as CWE-125, or an out-of-bounds read, which can allow software to return data from memory beyond the buffer it was supposed to access.
The National Vulnerability Database says an unauthorized attacker could exploit the issue to disclose information locally. That wording matters: CVE-2026-55023 is not classified as remote code execution, and Microsoft’s scoring does not indicate that it can be triggered automatically across a network.
User Interaction Limits the Attack, Not the Data Exposure
Microsoft’s CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, exploitation uses a local attack vector, has low attack complexity, requires no existing privileges, and depends on user interaction.The likely risk boundary is therefore a malicious or specially constructed Office file, document content, or other input processed by an affected Office component. Microsoft’s public description does not yet provide a detailed exploitation sequence, so administrators should avoid assuming a particular application, attachment type, or preview mechanism is required.
The confidentiality rating is High, while integrity and availability impacts are rated None. A successful exploit is intended to retrieve information rather than alter files, install malware, crash a server, or take control of the affected application.
That distinction keeps the numerical severity at 5.5, but it does not make the vulnerability irrelevant. Memory disclosure bugs can reveal document data, process memory, credentials, tokens, pointers, or other values that were never intended to be included in an application’s output. Microsoft has not publicly specified which information CVE-2026-55023 can expose, so those possibilities should be treated as general risk examples rather than confirmed outcomes for this flaw.
The attack also is not considered automatable under the initial CISA Stakeholder-Specific Vulnerability Categorization assessment. As of July 14, CISA recorded no known exploitation and classified the technical impact as partial.
That is favorable compared with an Office zero-day already circulating in phishing campaigns. It still leaves a familiar enterprise security problem: users routinely open documents received through email, Teams, SharePoint, OneDrive, ticketing systems, and customer portals, giving attackers many opportunities to satisfy a user-interaction requirement.
The Affected List Reaches Beyond Desktop Office
The CVE record identifies affected 32-bit and 64-bit Windows installations of Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Office LTSC 2021, and Office LTSC 2024. Mac installations are also included, with fixed builds beginning at Office version 16.111.26071215 for Microsoft 365, Office LTSC 2021, and Office LTSC 2024.Microsoft’s affected-product data lists the following fixed thresholds for server and perpetual products:
- Microsoft Office 2016 installations should be updated to version 16.0.5561.1000 or later.
- Microsoft SharePoint Enterprise Server 2016 should be updated to version 16.0.5561.1001 or later.
- Microsoft SharePoint Server 2019 should be updated to version 16.0.10417.20175 or later.
- Microsoft SharePoint Server Subscription Edition should be updated to version 16.0.19725.20434 or later.
- Office for Mac installations should be updated to version 16.111.26071215 or later.
Administrators should verify the build installed on each update channel instead of checking only whether an Office update ran successfully. Devices held on deferred channels, disconnected endpoints, pooled virtual desktops, and systems excluded from normal deployment rings are the most obvious places for vulnerable builds to remain.
SharePoint expands the operational impact beyond user workstations. Even though the vulnerability’s CVSS vector is local and requires user interaction, the inclusion of SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition means organizations also need to account for centrally hosted document-processing components.
Microsoft’s July Office update catalog provides KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Separate July packages are available for SharePoint language packs and Office Online Server, while Office 2016 received updates across Excel, Word, PowerPoint, MSO, charting, graphing, and Visual Basic for Applications components.
Patch Coverage Matters More Than the Medium Label
CVE-2026-55023 does not currently carry the urgency signals associated with an actively exploited zero-day. Microsoft has not reported exploitation in the wild, the flaw requires user interaction, and the published vector does not show an integrity or availability impact.The stronger case for prompt deployment comes from its breadth and its High confidentiality impact. The affected list spans subscription Office, perpetual Office, macOS clients, and three generations of SharePoint Server. A partially updated environment could close the desktop path while leaving a SharePoint farm, Mac fleet, or deferred Microsoft 365 channel exposed.
For managed Windows estates, the immediate action is to approve the July 14 Office security updates, then use Microsoft Configuration Manager, Intune, inventory scripts, or another endpoint-management platform to confirm installed Office builds. Merely checking Windows cumulative-update compliance will not establish that Click-to-Run Office or MSI-based Office components have received their separate fixes.
SharePoint administrators should follow their normal farm-patching procedure, including updating every server that hosts affected binaries and completing any required SharePoint configuration steps. Language packs should be included where installed rather than treated as optional cleanup.
Email and document controls remain useful while deployment completes, but they are not substitutes for patching. Blocking unsolicited Office attachments, using Protected View, retaining Mark of the Web, scanning files with Microsoft Defender for Office 365, and limiting downloads from untrusted SharePoint or OneDrive locations can reduce opportunities for user-assisted exploitation. None of those controls proves that an out-of-bounds read cannot be reached through another supported document workflow.
Microsoft has confirmed CVE-2026-55023 and issued an official fix, but it has not published enough technical detail to identify the exact data an attacker could recover or the specific Office parsing path involved. Until that changes, administrators should treat the July 14 updates as the reliable boundary: patch every affected Office channel and SharePoint farm, verify the resulting build numbers, and watch MSRC for any revision to the exploitation status.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
July 2026 updates for Microsoft Office | Microsoft Support
July 2026 updates for Microsoft Officesupport.microsoft.com - Related coverage: ncsc.gov.ie