Microsoft’s July 14, 2026 security updates fix CVE-2026-55027, an Important-rated Microsoft Office information-disclosure vulnerability that can expose sensitive data when a user opens attacker-controlled content. The flaw affects supported Microsoft 365 Apps, Office 2016 and 2019, Office LTSC releases for Windows and macOS, and several on-premises SharePoint Server versions.
Microsoft’s Security Response Center describes the vulnerability as an out-of-bounds read in Microsoft Office. The National Vulnerability Database, which received the record from Microsoft on July 14, lists it as CWE-125 and gives Microsoft’s CVSS 3.1 base score of 5.5, classified as Medium under the CVSS scale.
The score should not be mistaken for a reason to leave the update in a long testing queue. Microsoft rates CVE-2026-55027 as Important, and the vulnerable software includes Office applications that routinely process documents obtained through email, Teams, SharePoint, OneDrive, browsers, and other external channels.
Microsoft’s CVSS vector is
The most likely attack path is therefore a specially crafted file or other Office-compatible content presented to a target. Microsoft has not publicly documented the required file format, affected Office component, memory layout, or exact sequence needed to trigger the out-of-bounds read. Administrators should avoid narrowing their controls to Word, Excel, or PowerPoint unless Microsoft later identifies a specific application.
Successful exploitation affects confidentiality but is not scored as changing data or disrupting availability. Microsoft rates the potential confidentiality loss as High, indicating that the information exposed through the invalid memory read could be significant rather than limited to a harmless crash report or minor process metadata.
An out-of-bounds read occurs when software reads memory outside the area it was supposed to access. Depending on where the invalid read lands, the resulting disclosure could reveal application data, fragments of documents, credentials or tokens held in process memory, memory addresses useful for bypassing exploit mitigations, or other information belonging to the current session. Microsoft has not confirmed which of those outcomes is possible in this particular flaw, so they remain risk scenarios rather than established capabilities.
The vulnerability does not, by itself, provide remote code execution. Its CVSS vector assigns no integrity or availability impact, and Microsoft’s public description is limited to information disclosure. That distinction matters, particularly during a July release containing numerous Office remote-code-execution fixes with higher immediate impact.
It does not make CVE-2026-55027 harmless. Information-disclosure flaws are frequently useful as one stage in a larger exploit chain, especially when leaked memory can reduce the effectiveness of address randomization or reveal data needed for a second attack. Microsoft has not reported such a chain involving this CVE.
Mac deployments are included as well. Microsoft lists Microsoft Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 versions earlier than 16.111.26071215 as vulnerable.
For perpetual Office 2016 installations, Microsoft identifies versions below 16.0.5561.1000 as affected. Click-to-Run products such as Microsoft 365 Apps and newer perpetual releases are serviced according to their respective Office update channels, meaning administrators should verify the installed build against Microsoft’s July 2026 Office security-release tables rather than assuming that Windows Update alone has completed the job.
CVE-2026-55027 also appears in the affected records for three on-premises SharePoint products:
Microsoft’s July Office update index includes Office 2016 security packages for Word, Excel, PowerPoint, shared Office components, charting, graphing, and Visual Basic for Applications. The company recommends installing every July update that applies to the deployed Office configuration rather than selecting a single package based only on this CVE.
KB5002882 carries deployment prerequisites for organizations using SharePoint Workflow Manager. Microsoft instructs farms running the current SharePoint Workflow Manager to install KB5002799 before applying the cumulative update. Farms still using the Classic version of Workflow Manager must enable Microsoft’s specified server debug flag to keep workflows operational.
The update also has a documented post-installation action. After running PSConfig, Microsoft instructs administrators to set
SharePoint Server 2016 receives applicable July fixes through packages including KB5002891 and the KB5002892 language-pack update, with build 16.0.5561.1001 marking the corrected level listed for this CVE. SharePoint administrators should match packages to installed language packs and farm roles rather than treating one successfully patched server as proof that the entire farm is protected.
Testing remains necessary, particularly for farms with custom solutions, legacy workflows, authentication integrations, or third-party web parts. However, the presence of many security fixes in the same cumulative package argues against delaying deployment solely because CVE-2026-55027 has a 5.5 score.
The technical picture is less complete. Microsoft has disclosed the weakness class, impact, CVSS vector, affected products, and corrected build thresholds, but it has not published a proof of concept, vulnerable function name, malicious-file structure, crash trace, or detailed exploitation narrative. The National Vulnerability Database was still enriching its entry on July 15 and had not supplied an independent NVD score.
CISA’s initial SSVC data recorded no known exploitation, assessed the flaw as not readily automatable, and described its technical impact as partial. There was also no indication in the initial public records that CVE-2026-55027 had been added to CISA’s Known Exploited Vulnerabilities catalog.
Those points lower the evidence of immediate attack activity; they do not lower confidence that the vulnerability is real. The flaw is vendor-confirmed, while the public exploit knowledge remains sparse. That gap may narrow once researchers compare patched and unpatched Office binaries, making the period immediately after Patch Tuesday a poor time to depend on obscurity.
Endpoint administrators should confirm that Microsoft 365 Apps have advanced to a July 2026 security build across every configured update channel, including devices that have been offline or excluded by deployment rings. Office 2016 and SharePoint estates require particular attention because their MSI-based and server-side packages do not necessarily follow the same servicing path as Click-to-Run clients.
The immediate milestone is straightforward: Windows and Mac Office clients need the corrected July builds, while SharePoint farms need the appropriate cumulative updates, prerequisites, PSConfig completion, and post-installation checks. Until Microsoft publishes deeper technical details, file-origin controls, Protected View, attachment filtering, and least-privilege practices remain useful layers—but they are not substitutes for installing the fixes released on July 14, 2026.
Microsoft’s Security Response Center describes the vulnerability as an out-of-bounds read in Microsoft Office. The National Vulnerability Database, which received the record from Microsoft on July 14, lists it as CWE-125 and gives Microsoft’s CVSS 3.1 base score of 5.5, classified as Medium under the CVSS scale.
The score should not be mistaken for a reason to leave the update in a long testing queue. Microsoft rates CVE-2026-55027 as Important, and the vulnerable software includes Office applications that routinely process documents obtained through email, Teams, SharePoint, OneDrive, browsers, and other external channels.
Exploitation Requires a User, Not Administrator Access
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, exploitation is local rather than directly network-based, requires low attack complexity, needs no prior privileges, and depends on user interaction.The most likely attack path is therefore a specially crafted file or other Office-compatible content presented to a target. Microsoft has not publicly documented the required file format, affected Office component, memory layout, or exact sequence needed to trigger the out-of-bounds read. Administrators should avoid narrowing their controls to Word, Excel, or PowerPoint unless Microsoft later identifies a specific application.
Successful exploitation affects confidentiality but is not scored as changing data or disrupting availability. Microsoft rates the potential confidentiality loss as High, indicating that the information exposed through the invalid memory read could be significant rather than limited to a harmless crash report or minor process metadata.
An out-of-bounds read occurs when software reads memory outside the area it was supposed to access. Depending on where the invalid read lands, the resulting disclosure could reveal application data, fragments of documents, credentials or tokens held in process memory, memory addresses useful for bypassing exploit mitigations, or other information belonging to the current session. Microsoft has not confirmed which of those outcomes is possible in this particular flaw, so they remain risk scenarios rather than established capabilities.
The vulnerability does not, by itself, provide remote code execution. Its CVSS vector assigns no integrity or availability impact, and Microsoft’s public description is limited to information disclosure. That distinction matters, particularly during a July release containing numerous Office remote-code-execution fixes with higher immediate impact.
It does not make CVE-2026-55027 harmless. Information-disclosure flaws are frequently useful as one stage in a larger exploit chain, especially when leaked memory can reduce the effectiveness of address randomization or reveal data needed for a second attack. Microsoft has not reported such a chain involving this CVE.
The Affected List Reaches Beyond Desktop Office
The CVE record identifies both 32-bit and 64-bit Microsoft 365 Apps for Enterprise installations as affected. It also covers Microsoft Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 on Windows.Mac deployments are included as well. Microsoft lists Microsoft Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 versions earlier than 16.111.26071215 as vulnerable.
For perpetual Office 2016 installations, Microsoft identifies versions below 16.0.5561.1000 as affected. Click-to-Run products such as Microsoft 365 Apps and newer perpetual releases are serviced according to their respective Office update channels, meaning administrators should verify the installed build against Microsoft’s July 2026 Office security-release tables rather than assuming that Windows Update alone has completed the job.
CVE-2026-55027 also appears in the affected records for three on-premises SharePoint products:
- Microsoft SharePoint Server 2016 installations below build 16.0.5561.1001 are affected.
- Microsoft SharePoint Server 2019 installations below build 16.0.10417.20175 are affected.
- Microsoft SharePoint Server Subscription Edition installations below build 16.0.19725.20434 are affected.
Microsoft’s July Office update index includes Office 2016 security packages for Word, Excel, PowerPoint, shared Office components, charting, graphing, and Visual Basic for Applications. The company recommends installing every July update that applies to the deployed Office configuration rather than selecting a single package based only on this CVE.
SharePoint Farms Need the Release Notes, Not Just the Binary
For SharePoint Server Subscription Edition, CVE-2026-55027 is included in KB5002882, which installs security update build 16.0.19725.20434. Microsoft says the cumulative package also resolves a large set of SharePoint and Office vulnerabilities, including remote-code-execution, spoofing, security-feature-bypass, elevation-of-privilege, and information-disclosure issues.KB5002882 carries deployment prerequisites for organizations using SharePoint Workflow Manager. Microsoft instructs farms running the current SharePoint Workflow Manager to install KB5002799 before applying the cumulative update. Farms still using the Classic version of Workflow Manager must enable Microsoft’s specified server debug flag to keep workflows operational.
The update also has a documented post-installation action. After running PSConfig, Microsoft instructs administrators to set
DisableActorTokenAudienceValidation to $true through the SharePoint farm object because a defense-in-depth validation feature under development can cause a regression. Microsoft says existing actor-token validation checks remain active, but the instruction still deserves explicit inclusion in change records because it modifies farm-wide security behavior.SharePoint Server 2016 receives applicable July fixes through packages including KB5002891 and the KB5002892 language-pack update, with build 16.0.5561.1001 marking the corrected level listed for this CVE. SharePoint administrators should match packages to installed language packs and farm roles rather than treating one successfully patched server as proof that the entire farm is protected.
Testing remains necessary, particularly for farms with custom solutions, legacy workflows, authentication integrations, or third-party web parts. However, the presence of many security fixes in the same cumulative package argues against delaying deployment solely because CVE-2026-55027 has a 5.5 score.
Public Technical Detail Remains Limited
The supplied vulnerability metric language concerns confidence in whether a flaw exists and how much reliable technical information is available. For CVE-2026-55027, the existence of the vulnerability carries high confidence because Microsoft, the product vendor and assigning CVE authority, has acknowledged it and released fixes.The technical picture is less complete. Microsoft has disclosed the weakness class, impact, CVSS vector, affected products, and corrected build thresholds, but it has not published a proof of concept, vulnerable function name, malicious-file structure, crash trace, or detailed exploitation narrative. The National Vulnerability Database was still enriching its entry on July 15 and had not supplied an independent NVD score.
CISA’s initial SSVC data recorded no known exploitation, assessed the flaw as not readily automatable, and described its technical impact as partial. There was also no indication in the initial public records that CVE-2026-55027 had been added to CISA’s Known Exploited Vulnerabilities catalog.
Those points lower the evidence of immediate attack activity; they do not lower confidence that the vulnerability is real. The flaw is vendor-confirmed, while the public exploit knowledge remains sparse. That gap may narrow once researchers compare patched and unpatched Office binaries, making the period immediately after Patch Tuesday a poor time to depend on obscurity.
Endpoint administrators should confirm that Microsoft 365 Apps have advanced to a July 2026 security build across every configured update channel, including devices that have been offline or excluded by deployment rings. Office 2016 and SharePoint estates require particular attention because their MSI-based and server-side packages do not necessarily follow the same servicing path as Click-to-Run clients.
The immediate milestone is straightforward: Windows and Mac Office clients need the corrected July builds, while SharePoint farms need the appropriate cumulative updates, prerequisites, PSConfig completion, and post-installation checks. Until Microsoft publishes deeper technical details, file-origin controls, Protected View, attachment filtering, and least-privilege practices remain useful layers—but they are not substitutes for installing the fixes released on July 14, 2026.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
July 2026 updates for Microsoft Office | Microsoft Support
July 2026 updates for Microsoft Officesupport.microsoft.com - Related coverage: techradar.com
Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files | TechRadar
Microsoft forced to issue an emergency patchwww.techradar.com