CVE-2026-55026: Patch Office and SharePoint Data Disclosure

Microsoft has patched CVE-2026-55026, an Important-rated information disclosure vulnerability affecting Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC 2021 and 2024, Office for Mac, and supported SharePoint Server releases. The flaw can expose sensitive information without requiring privileges or user interaction, but exploitation must occur locally rather than across a network.
Published as part of Microsoft’s July 14, 2026 security releases, the vulnerability carries a CVSS 3.1 base score of 6.2. Microsoft describes the underlying weakness as an integer overflow or wraparound in Office and has classified it as CWE-190.
Microsoft’s Security Response Center marks the vulnerability’s report confidence as confirmed. That designation means Microsoft has sufficient evidence to verify that the flaw exists; it does not mean attacks have been observed in the wild.

Microsoft 365 security graphic warning of CVE-2026-55026 and urging users to install an update.A Local Attack With a High Confidentiality Impact​

The CVSS vector for CVE-2026-55026 is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. In practical terms, the attacker needs local access to the affected environment, but exploitation has low complexity, requires no existing privileges, and does not depend on a victim clicking through a prompt or opening a document during the attack.
A successful exploit can produce a high loss of confidentiality. Microsoft does not assign any direct integrity or availability impact, so the vulnerability is not expected to modify data, execute arbitrary code by itself, or crash the affected service.
That distinction keeps CVE-2026-55026 below Critical severity, but it should not be read as harmless. Information disclosure bugs are frequently useful as components in longer exploit chains, particularly when they reveal memory contents, pointers, tokens, document data, or other information that helps an attacker defeat security boundaries.
Microsoft has not published a detailed proof of concept or explained exactly what information can be recovered. Its brief description says an integer overflow or wraparound allows an unauthorized attacker to disclose information locally.
An integer overflow occurs when a calculation produces a value outside the range a program allocated for it. The value may then wrap around to a much smaller or otherwise unexpected number, potentially causing Office to calculate an incorrect buffer size, offset, or object length. Microsoft has not confirmed which of those conditions applies here, so any more specific explanation would be speculation.

“Confirmed” Describes Evidence, Not Active Exploitation​

The report-confidence language included in Microsoft’s advisory can easily be misread as an exploitation warning. In the Common Vulnerability Scoring System, report confidence measures how firmly the vulnerability and its technical characteristics have been established.
For CVE-2026-55026, Microsoft assigns RC:C, meaning Report Confidence: Confirmed. The company, as the vendor and CVE numbering authority, has acknowledged the vulnerability and shipped fixes for affected products.
The same vector lists exploit-code maturity as E:U, or unproven. That indicates Microsoft did not assign the vulnerability a higher temporal risk based on functional exploit code or confirmed attacks when the advisory was prepared. The remediation level is RL:O, reflecting the availability of an official vendor fix.
These signals should be interpreted separately:
  • Microsoft has confirmed that the vulnerability exists.
  • Microsoft has released official updates addressing it.
  • The published CVSS data does not establish that working exploit code is available.
  • Confirmation of the bug does not establish that it is being exploited in attacks.
That difference matters for patch prioritization. CVE-2026-55026 does not have the urgency of an actively exploited remote-code-execution zero-day, but its low attack complexity, lack of privilege requirements, and high confidentiality impact make it relevant on shared systems, application servers, virtual desktops, and machines that process sensitive Office documents.

The Affected Product List Reaches Beyond Desktop Office​

Microsoft’s CVE record identifies a broad set of Office and SharePoint products. Both 32-bit and 64-bit Windows editions are affected where those architectures are available.
Affected products include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024. Mac deployments are also in scope, including Microsoft 365 for Mac and Office LTSC for Mac 2021 and 2024.
The server-side exposure covers:
  • Microsoft SharePoint Enterprise Server 2016 before build 16.0.5561.1001.
  • Microsoft SharePoint Server 2019 before build 16.0.10417.20175.
  • Microsoft SharePoint Server Subscription Edition before build 16.0.19725.20434.
  • Office for Mac releases before version 16.111.26071215.
For Click-to-Run editions of Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Office LTSC 2024, administrators should consult the corresponding Office security-release information for their deployed update channel. Version compliance cannot safely be determined from the product’s marketing name alone because different channels receive different builds.
Microsoft’s July 2026 Office update index also lists separate packages for components such as Excel 2016, PowerPoint 2016, Word 2016, Office 2016 shared components, SharePoint Server, and Office Online Server. Organizations still running MSI-based Office 2016 therefore need to verify each applicable package rather than assuming a Microsoft 365 Apps update covers those installations.

SharePoint Farms Need More Than a Binary Update​

CVE-2026-55026 is included in the July 14 SharePoint security packages, including KB5002882 for SharePoint Server Subscription Edition. That package advances Subscription Edition to build 16.0.19725.20434 and replaces KB5002873.
Microsoft’s support documentation attaches operational warnings to the SharePoint update. Farms using SharePoint Workflow Manager must install KB5002799 before applying KB5002882. Environments still using the Classic version of Workflow Manager must enable Microsoft’s documented debug flag to continue using it.
The update also requires administrators to run the SharePoint configuration process rather than merely installing the binaries. As with other SharePoint security releases, a server that has received the package but has not completed PSConfig should not automatically be treated as fully patched at the farm level.
Microsoft documents a known issue involving an in-development defense-in-depth validation feature. After PSConfig, administrators are instructed to set DisableActorTokenAudienceValidation to $true and update the farm. Microsoft says this disables only the new defense-in-depth validation while leaving existing actor-token checks in place.
That workaround is not directly attributed to CVE-2026-55026, because KB5002882 resolves dozens of SharePoint, Word, and Office vulnerabilities in one cumulative package. It nevertheless affects deployment planning: administrators should test workflow behavior, execute the required farm steps, and verify the final SharePoint build instead of measuring success only through Windows Update status.
SharePoint Server 2016 and 2019 have their own July packages and target builds. Microsoft’s CVE data places the fixed thresholds at 16.0.5561.1001 for SharePoint Server 2016 and 16.0.10417.20175 for SharePoint Server 2019.

Patch Verification Is the Practical Priority​

Desktop administrators should first identify which Office servicing model is installed. MSI-based Office 2016 requires the relevant standalone July security updates, while Microsoft 365 Apps and newer Click-to-Run products should be checked against the security build assigned to their update channel.
Mac administrators should verify that Office has reached at least version 16.111.26071215. SharePoint teams should confirm the installed farm build after completing the configuration wizard or PowerShell equivalent, while also accounting for Microsoft’s Workflow Manager prerequisites and documented post-update setting.
Because Microsoft has not published detailed exploitation steps, administrators have little basis for a narrowly tailored mitigation or detection rule. There is also no vendor-documented workaround that should be treated as a substitute for updating.
The useful signal in the advisory is therefore straightforward: CVE-2026-55026 is a confirmed vulnerability with an official fix, not a confirmed attack campaign. Organizations should deploy the July 14, 2026 Office and SharePoint updates through their normal accelerated security cycle, with particular attention to shared Office hosts and SharePoint farms where local access can expose data belonging to many users.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: ncsc.gov.ie
 

Back
Top