Microsoft’s July 14, 2026 Office security updates fix CVE-2026-55035, an out-of-bounds read that can expose sensitive information when a user interacts with malicious content. The vulnerability affects Microsoft 365 Apps for enterprise, supported perpetual Office releases, Office for Mac, and on-premises SharePoint Server installations.
Microsoft classifies CVE-2026-55035 as an Important information-disclosure vulnerability. The National Vulnerability Database records a CVSS 3.1 base score of 5.5, placing it in the numerical “Medium” range, but that score should not be mistaken for a reason to skip the update.
Detailed in Microsoft’s Security Update Guide and published alongside the July 2026 Office patches, the flaw is confirmed rather than speculative. Microsoft reported no public disclosure or active exploitation at release and assessed exploitation as less likely.
CVE-2026-55035 is identified as CWE-125, an out-of-bounds read. This class of memory-safety error occurs when software reads beyond the boundary of the memory buffer it was supposed to access, potentially returning data from an unintended area of memory.
Microsoft’s CVSS vector is
That last requirement matters. An attacker cannot simply scan an Internet-facing Windows PC and retrieve Office data through this bug. The target must be persuaded to interact with attacker-controlled content, most plausibly a specially prepared file delivered through email, messaging, a shared folder, or another document-distribution channel.
The vulnerability carries a high confidentiality impact but no stated integrity or availability impact. A successful exploit is therefore expected to disclose information rather than modify documents, execute arbitrary code, or crash the affected system.
Microsoft has not publicly documented exactly which data could be exposed or how predictable the leaked memory would be. Administrators should not assume that the issue is limited to harmless process metadata, however. The CVSS confidentiality rating indicates that successful exploitation could produce a serious loss of information within the affected security context.
Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Office LTSC 2024 are serviced through their respective Office release channels. Administrators should verify the deployed channel and build rather than treating the presence of a recent Windows cumulative update as evidence that Office has also been patched.
That distinction is especially important on managed PCs. Click-to-Run Office installations can follow update policies separate from Windows Update, while MSI-based Office 2016 deployments may require individual security packages. Devices kept on delayed Microsoft 365 Apps channels also need to receive the corrected build approved for their channel.
The SharePoint entries widen the operational impact. CVE-2026-55035 is labeled as a Microsoft Office vulnerability, but applicable Office components are also shipped in on-premises SharePoint products. Patching employee workstations alone will not close the issue across an organization that operates SharePoint Server 2016 or SharePoint Server 2019.
Memory-disclosure vulnerabilities are frequently useful as part of a larger attack chain. Leaked process data can potentially reveal addresses, document fragments, or other information that helps an attacker understand the target environment or bypass protections used against a separate memory-corruption exploit. Microsoft has not announced such a chain involving CVE-2026-55035, but the possibility explains why confidentiality-only flaws still merit attention.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment recorded no known exploitation, judged the issue not readily automatable, and described its technical impact as partial. That broadly matches Microsoft’s “exploitation less likely” rating: the vulnerability does not appear to be a wormable Office emergency, yet it remains a credible document-based security risk.
The supplied report-confidence metric is also significant. Microsoft treats the vulnerability as confirmed, meaning the flaw’s existence has been established through detailed reporting, reproducibility, source review, or vendor verification. Report confidence says nothing by itself about active attacks, but it separates a validated vulnerability from an uncorroborated claim.
There was no public exploit or prior disclosure listed when Microsoft released the fix on July 14. That gives administrators an opportunity to patch before technical analysis of the update potentially reveals more about the vulnerable code path.
Office 2016 deployments should receive the applicable July 14 security packages. Microsoft’s July Office release includes separate updates for shared Office components and applications such as Word, Excel, and PowerPoint, so organizations using MSI-based Office should deploy the complete applicable set rather than selecting one package based solely on the CVE title.
SharePoint administrators face the usual additional work: farm patching needs planning, validation, and completion of any required post-installation configuration steps. Microsoft’s July documentation also carries prerequisites and workflow-related notes for some SharePoint 2016 environments. Those instructions should be reviewed before introducing the cumulative update into production.
Security teams can use mail filtering, attachment sandboxing, Protected View, and restrictions on files from untrusted sources as useful layers while updates move through testing. Those measures reduce exposure but are not replacements for installing the vendor fix, particularly because the precise malicious content and affected Office parsing path have not been publicly described.
Organizations should prioritize systems whose users routinely process external documents, including finance, recruitment, legal, customer support, and executive teams. Shared terminal servers and virtual desktop pools running Office also deserve explicit checks because one missed base image can leave many users on the vulnerable build.
CVE-2026-55035 is not the most severe Office flaw in Microsoft’s unusually large July 2026 security release, and Microsoft has not seen it exploited. Its broad product coverage is the more immediate concern: deployment is not complete until updated builds are confirmed across Windows Office clients, Macs, managed Microsoft 365 Apps channels, and every affected on-premises SharePoint farm.
Microsoft classifies CVE-2026-55035 as an Important information-disclosure vulnerability. The National Vulnerability Database records a CVSS 3.1 base score of 5.5, placing it in the numerical “Medium” range, but that score should not be mistaken for a reason to skip the update.
Detailed in Microsoft’s Security Update Guide and published alongside the July 2026 Office patches, the flaw is confirmed rather than speculative. Microsoft reported no public disclosure or active exploitation at release and assessed exploitation as less likely.
A Document Must Still Reach the User
CVE-2026-55035 is identified as CWE-125, an out-of-bounds read. This class of memory-safety error occurs when software reads beyond the boundary of the memory buffer it was supposed to access, potentially returning data from an unintended area of memory.Microsoft’s CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, the attack is local rather than directly network-triggered, requires low complexity, needs no prior privileges, and depends on user interaction.That last requirement matters. An attacker cannot simply scan an Internet-facing Windows PC and retrieve Office data through this bug. The target must be persuaded to interact with attacker-controlled content, most plausibly a specially prepared file delivered through email, messaging, a shared folder, or another document-distribution channel.
The vulnerability carries a high confidentiality impact but no stated integrity or availability impact. A successful exploit is therefore expected to disclose information rather than modify documents, execute arbitrary code, or crash the affected system.
Microsoft has not publicly documented exactly which data could be exposed or how predictable the leaked memory would be. Administrators should not assume that the issue is limited to harmless process metadata, however. The CVSS confidentiality rating indicates that successful exploitation could produce a serious loss of information within the affected security context.
The Affected Product List Reaches Beyond Windows Desktops
The scope of CVE-2026-55035 covers several Office servicing models rather than one isolated application version. According to Microsoft’s CVE record, affected products include:- Microsoft 365 Apps for enterprise on 32-bit and 64-bit Windows systems.
- Microsoft Office 2016 and Microsoft Office 2019 on Windows.
- Microsoft Office LTSC 2021 and Office LTSC 2024 on Windows.
- Microsoft 365 and Office for Mac.
- Microsoft Office LTSC for Mac 2021 and Office LTSC for Mac 2024.
- Microsoft SharePoint Enterprise Server 2016 and SharePoint Server 2019.
Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Office LTSC 2024 are serviced through their respective Office release channels. Administrators should verify the deployed channel and build rather than treating the presence of a recent Windows cumulative update as evidence that Office has also been patched.
That distinction is especially important on managed PCs. Click-to-Run Office installations can follow update policies separate from Windows Update, while MSI-based Office 2016 deployments may require individual security packages. Devices kept on delayed Microsoft 365 Apps channels also need to receive the corrected build approved for their channel.
The SharePoint entries widen the operational impact. CVE-2026-55035 is labeled as a Microsoft Office vulnerability, but applicable Office components are also shipped in on-premises SharePoint products. Patching employee workstations alone will not close the issue across an organization that operates SharePoint Server 2016 or SharePoint Server 2019.
A Modest Score Still Describes High-Value Leakage
The 5.5 CVSS score reflects the barriers around exploitation, particularly the local attack vector and requirement for user interaction. It does not mean the information obtained after successful exploitation is necessarily trivial.Memory-disclosure vulnerabilities are frequently useful as part of a larger attack chain. Leaked process data can potentially reveal addresses, document fragments, or other information that helps an attacker understand the target environment or bypass protections used against a separate memory-corruption exploit. Microsoft has not announced such a chain involving CVE-2026-55035, but the possibility explains why confidentiality-only flaws still merit attention.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment recorded no known exploitation, judged the issue not readily automatable, and described its technical impact as partial. That broadly matches Microsoft’s “exploitation less likely” rating: the vulnerability does not appear to be a wormable Office emergency, yet it remains a credible document-based security risk.
The supplied report-confidence metric is also significant. Microsoft treats the vulnerability as confirmed, meaning the flaw’s existence has been established through detailed reporting, reproducibility, source review, or vendor verification. Report confidence says nothing by itself about active attacks, but it separates a validated vulnerability from an uncorroborated claim.
There was no public exploit or prior disclosure listed when Microsoft released the fix on July 14. That gives administrators an opportunity to patch before technical analysis of the update potentially reveals more about the vulnerable code path.
Office and SharePoint Need Separate Deployment Checks
For Microsoft 365 Apps, administrators should use the Microsoft 365 Apps admin center, Configuration Manager, Intune reporting, or their normal inventory platform to confirm that devices have advanced to a corrected Office build. Merely forcing a Windows Update scan may not update an Office installation controlled by enterprise servicing policy.Office 2016 deployments should receive the applicable July 14 security packages. Microsoft’s July Office release includes separate updates for shared Office components and applications such as Word, Excel, and PowerPoint, so organizations using MSI-based Office should deploy the complete applicable set rather than selecting one package based solely on the CVE title.
SharePoint administrators face the usual additional work: farm patching needs planning, validation, and completion of any required post-installation configuration steps. Microsoft’s July documentation also carries prerequisites and workflow-related notes for some SharePoint 2016 environments. Those instructions should be reviewed before introducing the cumulative update into production.
Security teams can use mail filtering, attachment sandboxing, Protected View, and restrictions on files from untrusted sources as useful layers while updates move through testing. Those measures reduce exposure but are not replacements for installing the vendor fix, particularly because the precise malicious content and affected Office parsing path have not been publicly described.
Organizations should prioritize systems whose users routinely process external documents, including finance, recruitment, legal, customer support, and executive teams. Shared terminal servers and virtual desktop pools running Office also deserve explicit checks because one missed base image can leave many users on the vulnerable build.
CVE-2026-55035 is not the most severe Office flaw in Microsoft’s unusually large July 2026 security release, and Microsoft has not seen it exploited. Its broad product coverage is the more immediate concern: deployment is not complete until updated builds are confirmed across Windows Office clients, Macs, managed Microsoft 365 Apps channels, and every affected on-premises SharePoint farm.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
July 2026 updates for Microsoft Office | Microsoft Support
July 2026 updates for Microsoft Officesupport.microsoft.com - Related coverage: ncsc.gov.ie
- Related coverage: korporaalmedia.nl
NCSC-2026-0237 [1.00] [M/H] Kwetsbaarheden verholpen in Microsoft Office - Korporaal Media
Microsoft heeft kwetsbaarheden verholpen in diverse Office producten, zoals Word, Excel, Powerpoint en SharePoint. Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot categorieën schade, zoals benoemd in onderstaande tabel. Voor succesvol misbruik...korporaalmedia.nl