Microsoft patched CVE-2026-55028, an Important-rated Microsoft Office information-disclosure vulnerability, on July 14, 2026. The flaw can expose sensitive memory contents when an affected Office component performs an out-of-bounds read, but exploitation requires a user to interact with attacker-controlled content.
Microsoft’s Security Response Center disclosed the vulnerability through its July 2026 Security Update Guide. The National Vulnerability Database has reproduced Microsoft’s technical assessment but remains in its Awaiting Enrichment stage, meaning NIST has not yet supplied an independent severity analysis.
Administrators should update affected Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC, Office for Mac, and on-premises SharePoint installations. Although CVE-2026-55028 is not a remote-code-execution bug, Microsoft’s scoring indicates that successful exploitation could produce a high confidentiality impact.
Microsoft describes CVE-2026-55028 as an out-of-bounds read, categorized under CWE-125. This class of memory-safety error occurs when software reads beyond the boundary of an allocated buffer, potentially returning data that was never intended to be accessible through the affected operation.
The vulnerability carries a Microsoft-assigned CVSS 3.1 base score of 5.5, placing it in the Medium numerical band even though Microsoft labels the security update Important. Its vector is
That vector provides more useful operational detail than the headline score:
Microsoft has not published a proof of concept, sample file, or detailed description of which Office parser or document structure reaches the faulty read. SANS Internet Storm Center’s July Patch Tuesday tracking lists CVE-2026-55028 as neither publicly disclosed nor detected in exploitation as of July 14.
For Mac installations, Microsoft identifies version 16.111.26071215 as the corrected boundary for Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024. Windows Click-to-Run products are serviced through their respective Office update channels rather than one universal standalone package, so administrators should verify the installed channel and build against Microsoft’s July Office security-release table.
Office 2016 installations older than version 16.0.5561.1000 are listed as affected. That edition remains especially important in inventories where MSI-based Office deployments have been retained for compatibility with add-ins, document-management clients, or older line-of-business applications.
The affected data also includes on-premises SharePoint products. SharePoint uses Office and Word-related components for document processing and rendering, which means an Office-branded CVE can require server-side remediation even when administrators do not consider those systems conventional Office endpoints.
Microsoft’s July packages include fixes for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The SharePoint Server 2016 package reaches build 16.0.5561.1001, while the Subscription Edition security update, KB5002882, is build 16.0.19725.20434.
That broader footprint makes asset identification more important than simply checking whether Word or Excel is installed on employee PCs. Patch teams should query both endpoint-management platforms and the SharePoint farm inventory before declaring the CVE remediated.
For SharePoint Server Subscription Edition, Microsoft says organizations using SharePoint Workflow Manager must install Workflow Manager update KB5002799 before deploying KB5002882. Farms still using the Classic version of Workflow Manager must also enable Microsoft’s documented server debug flag to maintain workflow operation.
Microsoft additionally instructs Subscription Edition administrators to run PowerShell commands after PSConfig to disable a defense-in-depth actor-token audience validation feature that can cause a regression. The company says existing actor-token validation remains in place, but the instruction underscores why SharePoint updates should not be pushed as unattended Windows patches without reviewing the accompanying KB article.
The July Subscription Edition update also fixes a nonsecurity problem that prevented SharePoint 2010 workflows from starting after the June 2026 update. That repair may reduce deployment resistance for farms already dealing with the earlier regression, but administrators should still test workflow initiation, document rendering, search, and Office Web Apps integrations after updating.
SharePoint Server 2016 has separate server and language-pack packages, including KB5002891 and KB5002892. Microsoft’s support material associates CVE-2026-55028 with the July language-pack update, so farms with language packs should not assume that installing only the core binary package completes remediation.
In this case, the vulnerability’s existence has strong confidence because Microsoft, the product vendor and CVE Numbering Authority, has acknowledged it and shipped corrected software. The weakness type, attack vector, required user interaction, and confidentiality impact are also vendor-assigned rather than inferred solely from an unverified third-party report.
What remains limited is the depth of public technical knowledge. Microsoft has identified the root weakness as an out-of-bounds read but has not publicly documented the vulnerable function, affected file format, leaked memory region, or a reliable exploitation method. NVD’s pending enrichment status reinforces that the public record is currently authoritative but sparse.
That combination should temper, rather than eliminate, urgency. Attackers have enough information to know that malformed content can potentially recover sensitive process memory, while defenders do not yet have detailed indicators that could reliably distinguish an exploit attempt from an ordinary malformed document.
MSI-based Office 2016 systems should receive the applicable July Office updates through Microsoft Update, WSUS, Microsoft Configuration Manager, the Update Catalog, or Microsoft’s standalone packages. Mac administrators should verify that Office reports version 16.111.26071215 or later.
SharePoint teams have the heavier change window. They should back up the farm, review Workflow Manager prerequisites, install every applicable server and language-pack package, run the SharePoint Products Configuration Wizard or PSConfig across the farm, and then confirm the resulting build numbers.
CVE-2026-55028 was not identified as an exploited zero-day when Microsoft published it on July 14, but its low attack complexity, lack of required privileges, and high confidentiality impact argue against leaving it for an indefinite maintenance cycle. The immediate milestone is straightforward: bring desktop Office and Mac installations onto their July security builds, and treat the corresponding SharePoint updates as a coordinated farm deployment rather than an ordinary endpoint patch.
Microsoft’s Security Response Center disclosed the vulnerability through its July 2026 Security Update Guide. The National Vulnerability Database has reproduced Microsoft’s technical assessment but remains in its Awaiting Enrichment stage, meaning NIST has not yet supplied an independent severity analysis.
Administrators should update affected Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC, Office for Mac, and on-premises SharePoint installations. Although CVE-2026-55028 is not a remote-code-execution bug, Microsoft’s scoring indicates that successful exploitation could produce a high confidentiality impact.
An Out-of-Bounds Read With User Interaction Attached
Microsoft describes CVE-2026-55028 as an out-of-bounds read, categorized under CWE-125. This class of memory-safety error occurs when software reads beyond the boundary of an allocated buffer, potentially returning data that was never intended to be accessible through the affected operation.The vulnerability carries a Microsoft-assigned CVSS 3.1 base score of 5.5, placing it in the Medium numerical band even though Microsoft labels the security update Important. Its vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.That vector provides more useful operational detail than the headline score:
- An attacker needs a local attack path rather than being able to trigger the flaw directly over a network.
- Exploitation has low complexity and does not require the attacker to hold privileges beforehand.
- A user must perform an action, such as opening or otherwise processing malicious content.
- Successful exploitation can significantly affect confidentiality but is not expected to modify data or disrupt availability.
Microsoft has not published a proof of concept, sample file, or detailed description of which Office parser or document structure reaches the faulty read. SANS Internet Storm Center’s July Patch Tuesday tracking lists CVE-2026-55028 as neither publicly disclosed nor detected in exploitation as of July 14.
The Affected Footprint Extends Beyond Desktop Office
The CVE record identifies a broad set of affected Office editions on Windows and macOS. Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 appear in the affected-product data, alongside Microsoft 365 and LTSC editions for Mac.For Mac installations, Microsoft identifies version 16.111.26071215 as the corrected boundary for Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024. Windows Click-to-Run products are serviced through their respective Office update channels rather than one universal standalone package, so administrators should verify the installed channel and build against Microsoft’s July Office security-release table.
Office 2016 installations older than version 16.0.5561.1000 are listed as affected. That edition remains especially important in inventories where MSI-based Office deployments have been retained for compatibility with add-ins, document-management clients, or older line-of-business applications.
The affected data also includes on-premises SharePoint products. SharePoint uses Office and Word-related components for document processing and rendering, which means an Office-branded CVE can require server-side remediation even when administrators do not consider those systems conventional Office endpoints.
Microsoft’s July packages include fixes for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The SharePoint Server 2016 package reaches build 16.0.5561.1001, while the Subscription Edition security update, KB5002882, is build 16.0.19725.20434.
That broader footprint makes asset identification more important than simply checking whether Word or Excel is installed on employee PCs. Patch teams should query both endpoint-management platforms and the SharePoint farm inventory before declaring the CVE remediated.
SharePoint Servicing Carries Its Own Deployment Work
CVE-2026-55028 is bundled into SharePoint cumulative security updates that address many other July vulnerabilities. Installing those packages therefore has consequences beyond this individual information-disclosure flaw, including prerequisites and post-installation work that farm administrators need to plan.For SharePoint Server Subscription Edition, Microsoft says organizations using SharePoint Workflow Manager must install Workflow Manager update KB5002799 before deploying KB5002882. Farms still using the Classic version of Workflow Manager must also enable Microsoft’s documented server debug flag to maintain workflow operation.
Microsoft additionally instructs Subscription Edition administrators to run PowerShell commands after PSConfig to disable a defense-in-depth actor-token audience validation feature that can cause a regression. The company says existing actor-token validation remains in place, but the instruction underscores why SharePoint updates should not be pushed as unattended Windows patches without reviewing the accompanying KB article.
The July Subscription Edition update also fixes a nonsecurity problem that prevented SharePoint 2010 workflows from starting after the June 2026 update. That repair may reduce deployment resistance for farms already dealing with the earlier regression, but administrators should still test workflow initiation, document rendering, search, and Office Web Apps integrations after updating.
SharePoint Server 2016 has separate server and language-pack packages, including KB5002891 and KB5002892. Microsoft’s support material associates CVE-2026-55028 with the July language-pack update, so farms with language packs should not assume that installing only the core binary package completes remediation.
Confidence Is Not the Same Measurement as Severity
The confidence language accompanying the advisory describes how certain the industry is that a vulnerability exists and how credible its technical details are. It is not another name for CVSS severity, exploit probability, or business risk.In this case, the vulnerability’s existence has strong confidence because Microsoft, the product vendor and CVE Numbering Authority, has acknowledged it and shipped corrected software. The weakness type, attack vector, required user interaction, and confidentiality impact are also vendor-assigned rather than inferred solely from an unverified third-party report.
What remains limited is the depth of public technical knowledge. Microsoft has identified the root weakness as an out-of-bounds read but has not publicly documented the vulnerable function, affected file format, leaked memory region, or a reliable exploitation method. NVD’s pending enrichment status reinforces that the public record is currently authoritative but sparse.
That combination should temper, rather than eliminate, urgency. Attackers have enough information to know that malformed content can potentially recover sensitive process memory, while defenders do not yet have detailed indicators that could reliably distinguish an exploit attempt from an ordinary malformed document.
Patch the Fleet, Then Verify the Build
For managed Microsoft 365 Apps deployments, administrators should confirm that July 2026 security builds have reached each configured update channel rather than relying only on a successful update-policy assignment. Devices that are offline, pinned to deferred builds, or failing Click-to-Run servicing can remain exposed while appearing compliant at the policy level.MSI-based Office 2016 systems should receive the applicable July Office updates through Microsoft Update, WSUS, Microsoft Configuration Manager, the Update Catalog, or Microsoft’s standalone packages. Mac administrators should verify that Office reports version 16.111.26071215 or later.
SharePoint teams have the heavier change window. They should back up the farm, review Workflow Manager prerequisites, install every applicable server and language-pack package, run the SharePoint Products Configuration Wizard or PSConfig across the farm, and then confirm the resulting build numbers.
CVE-2026-55028 was not identified as an exploited zero-day when Microsoft published it on July 14, but its low attack complexity, lack of required privileges, and high confidentiality impact argue against leaving it for an indefinite maintenance cycle. The immediate milestone is straightforward: bring desktop Office and Mac installations onto their July security builds, and treat the corresponding SharePoint updates as a coordinated farm deployment rather than an ordinary endpoint patch.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
July 2026 updates for Microsoft Office | Microsoft Support
July 2026 updates for Microsoft Officesupport.microsoft.com - Related coverage: techradar.com
Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files | TechRadar
Microsoft forced to issue an emergency patchwww.techradar.com - Related coverage: pcgamer.com
Microsoft announces that Office has two critical security vulnerabilities, and here's where you can find patches to fix them | PC Gamer
Both also require local access to exploit, so while they're bad, they're not super bad.www.pcgamer.com