CVE-2026-55032 is a Microsoft Word remote code execution vulnerability fixed in the July 14, 2026 security release, and Microsoft’s deployment guidance is unambiguous: install every applicable update offered for each affected product on the system. If the Security Updates table lists multiple packages for an installed product, administrators should deploy all of them; Microsoft says the applicable packages may be installed in any order.
Detailed in the Microsoft Security Response Center advisory, the flaw is a use-after-free memory vulnerability in Microsoft Office Word. Microsoft rates it Important with a CVSS 3.1 score of 7.8, reflecting the potential for a successful attacker to compromise confidentiality, integrity, and availability in the context of the affected application and user.
The National Vulnerability Database lists user interaction as required. In practical terms, an attacker would need to persuade a user to open or otherwise process malicious content rather than simply reaching an exposed machine over the network. Microsoft and the Zero Day Initiative reported no public disclosure or known exploitation when the July updates were released.
The appearance of several entries in Microsoft’s Security Updates table does not mean administrators should choose the newest-looking package and disregard the rest. The table can expose separate fixes for product components, installation technologies, language packs, architectures, or server roles that share vulnerable Office code.
For CVE-2026-55032, the affected-product list reaches beyond desktop installations of Word. Microsoft identifies affected versions across:
Microsoft Word 2016 receives KB5002890, bringing the fixed version to 16.0.5561.1000. Microsoft’s affected-product data also identifies SharePoint Enterprise Server 2016 builds earlier than 16.0.5561.1001, SharePoint Server 2019 builds earlier than 16.0.10417.20175, and SharePoint Server Subscription Edition builds earlier than 16.0.19725.20434 as vulnerable.
SharePoint Server Subscription Edition’s July cumulative security release is KB5002882, build 16.0.19725.20434. Microsoft says that package resolves CVE-2026-55032 alongside a much larger collection of SharePoint, Office, and Word vulnerabilities. This is another reason that update-package selection should follow Microsoft’s applicability detection rather than the CVE title alone.
A 64-bit Office installation does not need a 32-bit package. A Click-to-Run Microsoft 365 Apps deployment does not use the same servicing path as an MSI-based Word 2016 installation. A SharePoint Server 2019 farm does not take the Subscription Edition package, and a server without a particular language component should not be given an unrelated language-pack update.
The safe interpretation is straightforward: inventory the product, edition, architecture, servicing channel, installed components, and current build, then accept every July 2026 security package that Microsoft Update, the Office servicing channel, or the Security Update Guide marks as applicable. Do not treat separate applicable entries as alternatives unless Microsoft’s documentation explicitly says they replace one another.
Managed Microsoft 365 Apps installations should receive the corrected Office build through their configured update channel. Because update-channel policies can defer releases, administrators should verify the installed build after deployment rather than assume that an update scan means the corrected Office code has reached every endpoint.
MSI-based Office deployments require more deliberate checking. KB5002890 applies to Microsoft Word 2016 installations using the Microsoft Installer servicing model, while Click-to-Run editions are serviced through Office update channels. Endpoint-management reports should distinguish between those installation types before compliance is calculated.
Mac administrators should verify that affected Microsoft 365 and Office LTSC installations have reached version 16.111.26071215 or later. A Windows-only patch dashboard will not account for those devices even when the organization uses the same Microsoft 365 tenant across platforms.
KB5002882 also carries deployment considerations unrelated to CVE-2026-55032. Microsoft says environments using SharePoint Workflow Manager must install KB5002799 before applying the Subscription Edition cumulative update. The support documentation also describes a post-PSConfig PowerShell setting associated with a defense-in-depth validation feature that can cause a regression.
Those conditions make change control necessary, but they do not turn the listed security packages into optional alternatives. Organizations should test the complete July SharePoint update set against workflows, custom solutions, authentication integrations, search, and document-processing workloads, then promote that same tested set into production.
SharePoint Server 2016 administrators may also see separate core-product and language-pack packages. KB5002892, for example, updates the SharePoint Server 2016 Language Pack to build 16.0.5561.1001 and includes coverage associated with CVE-2026-55032 and other July Office vulnerabilities. If Microsoft identifies both a base product update and a language-pack update as applicable, deploying only one leaves the farm short of Microsoft’s supported security baseline.
The packages can be installed in any order for the purpose of addressing this CVE, according to the MSRC advisory. That flexibility should not override product-specific prerequisites, farm patching procedures, reboots, or PSConfig requirements documented for the individual KB releases.
Successful exploitation could execute code with the victim’s permissions. A standard user account limits the immediate reach, while a user operating with administrative privileges could hand the attacker substantially broader control over the machine. Enterprises should continue treating unsolicited Word documents, email attachments, collaboration-platform uploads, and downloaded templates as likely delivery routes even though Microsoft has not reported active exploitation.
Protective View, Microsoft Defender, attachment filtering, and least-privilege policies provide useful layers, but they are not substitutes for the corrected binaries. Security controls can also be bypassed by trusted-location configuration, internal file shares, compromised business contacts, or users who approve prompts presented by a convincing document.
Administrators should close the deployment by checking installed Office and SharePoint versions, not merely whether a July update job returned success. For CVE-2026-55032, the actionable rule is simple: install every package Microsoft marks as applicable, observe each product’s deployment prerequisites, and verify that no affected Word, Office, Mac, or SharePoint build remains below its fixed level.
Detailed in the Microsoft Security Response Center advisory, the flaw is a use-after-free memory vulnerability in Microsoft Office Word. Microsoft rates it Important with a CVSS 3.1 score of 7.8, reflecting the potential for a successful attacker to compromise confidentiality, integrity, and availability in the context of the affected application and user.
The National Vulnerability Database lists user interaction as required. In practical terms, an attacker would need to persuade a user to open or otherwise process malicious content rather than simply reaching an exposed machine over the network. Microsoft and the Zero Day Initiative reported no public disclosure or known exploitation when the July updates were released.
One CVE Can Require More Than One Package
The appearance of several entries in Microsoft’s Security Updates table does not mean administrators should choose the newest-looking package and disregard the rest. The table can expose separate fixes for product components, installation technologies, language packs, architectures, or server roles that share vulnerable Office code.For CVE-2026-55032, the affected-product list reaches beyond desktop installations of Word. Microsoft identifies affected versions across:
- Microsoft 365 Apps for enterprise on 32-bit and x64 systems.
- Microsoft Office 2019 on 32-bit and x64 systems.
- Microsoft Office LTSC 2021 and Office LTSC 2024.
- Microsoft Office 365 for Mac.
- Microsoft Office LTSC for Mac 2021 and 2024.
- Microsoft Word 2016 on 32-bit and x64 systems.
- SharePoint Enterprise Server 2016.
- SharePoint Server 2019.
- SharePoint Server Subscription Edition.
Microsoft Word 2016 receives KB5002890, bringing the fixed version to 16.0.5561.1000. Microsoft’s affected-product data also identifies SharePoint Enterprise Server 2016 builds earlier than 16.0.5561.1001, SharePoint Server 2019 builds earlier than 16.0.10417.20175, and SharePoint Server Subscription Edition builds earlier than 16.0.19725.20434 as vulnerable.
SharePoint Server Subscription Edition’s July cumulative security release is KB5002882, build 16.0.19725.20434. Microsoft says that package resolves CVE-2026-55032 alongside a much larger collection of SharePoint, Office, and Word vulnerabilities. This is another reason that update-package selection should follow Microsoft’s applicability detection rather than the CVE title alone.
“Applicable” Is the Word That Matters
Microsoft is not telling organizations to download every package displayed on the CVE page and force-install them everywhere. It is telling customers to install all updates that apply to the software actually present.A 64-bit Office installation does not need a 32-bit package. A Click-to-Run Microsoft 365 Apps deployment does not use the same servicing path as an MSI-based Word 2016 installation. A SharePoint Server 2019 farm does not take the Subscription Edition package, and a server without a particular language component should not be given an unrelated language-pack update.
The safe interpretation is straightforward: inventory the product, edition, architecture, servicing channel, installed components, and current build, then accept every July 2026 security package that Microsoft Update, the Office servicing channel, or the Security Update Guide marks as applicable. Do not treat separate applicable entries as alternatives unless Microsoft’s documentation explicitly says they replace one another.
Managed Microsoft 365 Apps installations should receive the corrected Office build through their configured update channel. Because update-channel policies can defer releases, administrators should verify the installed build after deployment rather than assume that an update scan means the corrected Office code has reached every endpoint.
MSI-based Office deployments require more deliberate checking. KB5002890 applies to Microsoft Word 2016 installations using the Microsoft Installer servicing model, while Click-to-Run editions are serviced through Office update channels. Endpoint-management reports should distinguish between those installation types before compliance is calculated.
Mac administrators should verify that affected Microsoft 365 and Office LTSC installations have reached version 16.111.26071215 or later. A Windows-only patch dashboard will not account for those devices even when the organization uses the same Microsoft 365 tenant across platforms.
SharePoint Requires Farm-Level Follow-Through
SharePoint patching is not complete merely because an update executable appears in Windows Update history. Administrators need to patch every server in the farm and complete Microsoft’s prescribed SharePoint configuration process so that binaries and databases remain aligned.KB5002882 also carries deployment considerations unrelated to CVE-2026-55032. Microsoft says environments using SharePoint Workflow Manager must install KB5002799 before applying the Subscription Edition cumulative update. The support documentation also describes a post-PSConfig PowerShell setting associated with a defense-in-depth validation feature that can cause a regression.
Those conditions make change control necessary, but they do not turn the listed security packages into optional alternatives. Organizations should test the complete July SharePoint update set against workflows, custom solutions, authentication integrations, search, and document-processing workloads, then promote that same tested set into production.
SharePoint Server 2016 administrators may also see separate core-product and language-pack packages. KB5002892, for example, updates the SharePoint Server 2016 Language Pack to build 16.0.5561.1001 and includes coverage associated with CVE-2026-55032 and other July Office vulnerabilities. If Microsoft identifies both a base product update and a language-pack update as applicable, deploying only one leaves the farm short of Microsoft’s supported security baseline.
The packages can be installed in any order for the purpose of addressing this CVE, according to the MSRC advisory. That flexibility should not override product-specific prerequisites, farm patching procedures, reboots, or PSConfig requirements documented for the individual KB releases.
The Exploit Needs a User, but the Impact Is Still Total
The CVSS vector describes a local attack path with low attack complexity, no prior privileges, and required user interaction. “Remote code execution” and “local attack vector” are not contradictory here: the attacker can originate remotely but must deliver content that the victim causes Word or a related component to process.Successful exploitation could execute code with the victim’s permissions. A standard user account limits the immediate reach, while a user operating with administrative privileges could hand the attacker substantially broader control over the machine. Enterprises should continue treating unsolicited Word documents, email attachments, collaboration-platform uploads, and downloaded templates as likely delivery routes even though Microsoft has not reported active exploitation.
Protective View, Microsoft Defender, attachment filtering, and least-privilege policies provide useful layers, but they are not substitutes for the corrected binaries. Security controls can also be bypassed by trusted-location configuration, internal file shares, compromised business contacts, or users who approve prompts presented by a convincing document.
Administrators should close the deployment by checking installed Office and SharePoint versions, not merely whether a July update job returned success. For CVE-2026-55032, the actionable rule is simple: install every package Microsoft marks as applicable, observe each product’s deployment prerequisites, and verify that no affected Word, Office, Mac, or SharePoint build remains below its fixed level.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com