CVE-2026-55042: Install July 14 Office Updates to Stop Data Leaks

Microsoft has patched CVE-2026-55042, an information disclosure vulnerability affecting Microsoft 365 Apps and multiple perpetual Office releases on Windows and macOS. The flaw can expose sensitive information when a user interacts with attacker-controlled content, making the July 14, 2026 Office security updates the practical fix for affected installations.
Detailed in the Microsoft Security Response Center’s July security release, CVE-2026-55042 carries a CVSS 3.1 base score of 5.5, placing it in the Medium severity range. Microsoft describes the underlying weakness as the use of an uninitialized resource in Microsoft Office, classified as CWE-908.
The National Vulnerability Database was still awaiting its own enrichment analysis as of July 15, but its record reproduces Microsoft’s affected-product data and scoring. Microsoft is the assigning CVE Numbering Authority, so the vulnerability’s existence and core technical details are vendor-confirmed rather than based solely on an unverified third-party report.

Microsoft security updates dated July 14, 2026, show a shield, devices, and high-severity CVE-2026-55042.The Attack Starts Locally but Still Needs a User​

Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. That string matters because it narrows both the likely attack path and the potential damage.
The local attack-vector rating does not necessarily mean an attacker must already possess an interactive account on the computer. In Office vulnerabilities, local exploitation can involve persuading a user to open or otherwise process a crafted file after it has reached the endpoint through email, a browser download, cloud storage, a collaboration platform, or removable media.
User interaction is required, and Microsoft rates the attack complexity as low. The attacker does not need privileges before exploitation, but successful exploitation remains dependent on the targeted user or an Office process handling the malicious content.
The resulting impact is limited to confidentiality. Microsoft assigns a High confidentiality impact while recording no integrity or availability impact, indicating that successful exploitation could reveal protected information without directly modifying data, executing arbitrary code, or crashing the application.
That distinction keeps CVE-2026-55042 below the urgency of an Office remote-code-execution zero-day, but it does not make the bug harmless. Information leaked from a document-handling process can potentially include data that helps an attacker understand the target environment, recover content that should not have been exposed, or prepare a second-stage attack.
Microsoft has not publicly documented exactly which information could be disclosed or supplied a proof-of-concept attack sequence. Administrators should therefore avoid assuming that the impact is limited to document metadata or another narrow category of data.

Uninitialized State Creates an Unpredictable Disclosure Path​

CVE-2026-55042 is classified as CWE-908, Use of Uninitialized Resource. This weakness occurs when software accesses a resource before it has been placed into a known, valid state.
In practical terms, an Office component may process memory, an object, a handle, or another internal resource containing residual or unintended data. Carefully crafted input can then reportedly cause information associated with that uninitialized state to become observable outside its intended boundary.
Microsoft’s advisory does not identify a particular Office application such as Word, Excel, PowerPoint, or Outlook as the sole vulnerable component. It instead lists Microsoft Office as the affected product family, which argues against treating application-level restrictions as a complete mitigation unless Microsoft publishes more specific technical guidance.
The vulnerability’s report-confidence language also deserves context. Microsoft has acknowledged and patched the defect, making the existence of the vulnerability confirmed, but confirmation is not the same as full public disclosure. Would-be attackers know the weakness class, affected releases, scoring vector, and expected security impact, while the implementation details remain limited.
That gives defenders a window, not a guarantee. Patch analysis can eventually reveal what changed between vulnerable and corrected Office binaries, allowing researchers—and potentially attackers—to reconstruct more of the vulnerable code path.

Office 2016 Through LTSC 2024 Are in Scope​

The CVE record covers a broad range of Office deployment models rather than a single channel or architecture. On Windows, both 32-bit and x64 installations are represented where applicable.
Affected products include:
  • Microsoft 365 Apps for enterprise is affected on 32-bit and x64 Windows systems.
  • Microsoft Office 2016 is affected before version 16.0.5561.1000.
  • Microsoft Office 2019 is affected on 32-bit and x64 systems.
  • Microsoft Office LTSC 2021 is affected on 32-bit and x64 systems.
  • Microsoft Office LTSC 2024 is affected on 32-bit and x64 systems.
  • Microsoft 365 for Mac is affected before version 16.111.26071215.
  • Microsoft Office LTSC for Mac 2021 and LTSC for Mac 2024 are affected before version 16.111.26071215.
The explicit Office 2016 threshold gives administrators a concrete compliance check: installations should report version 16.0.5561.1000 or later. For Click-to-Run editions—including Microsoft 365 Apps, Office 2019, and the LTSC releases—Microsoft points administrators to the corresponding Office security release channels rather than presenting one universal build number in the CVE record.
Mac administrators should verify that Office has reached version 16.111.26071215 or later. This is particularly important on devices where Microsoft AutoUpdate has been disabled, deferred, or prevented from running because users rarely launch the update component.
Office 2019 also requires extra attention because its mainstream support ended on October 14, 2025. Microsoft’s Office security-release documentation says the company may issue selected Office 2019 updates at its discretion, but organizations still using that edition should not interpret a July 2026 fix as a renewed long-term servicing commitment.

Deployment Depends on How Office Was Installed​

Microsoft’s July 2026 Office update index lists the MSI-based Office 2016 packages released on July 14, including updates for shared Office components, Excel 2016, PowerPoint 2016, Word 2016, the Visual Basic for Applications runtime, charting, graphing, and Office Art components. Not every package in that release necessarily maps exclusively to CVE-2026-55042, so administrators should deploy all applicable July Office security updates rather than selecting packages based only on a single CVE description.
Microsoft 365 Apps and other Click-to-Run editions follow Office servicing channels instead of the traditional per-component MSI model. Those environments should use the Microsoft 365 Apps admin center, Configuration Manager, Intune, Group Policy, or their existing update-management tooling to confirm that clients have downloaded a build containing the July 14 security fixes.
A sensible validation pass should cover more than whether an update deployment job reports success. Administrators should inventory the actual Office version on each endpoint, separate MSI installations from Click-to-Run installations, and identify devices stuck on deferred, unsupported, or internally frozen channels.
Security teams can also reduce exposure while deployment proceeds by reinforcing controls around files originating outside the organization. Protected View, Mark of the Web handling, attachment scanning, Defender for Office 365 policies, and restrictions on untrusted Office content remain useful layers, although Microsoft has not described any of them as a complete workaround for CVE-2026-55042.

No Exploitation Reported, but the Fix Should Not Wait​

CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation, judged the attack as not readily automatable, and characterized the technical impact as partial. CVE-2026-55042 was also not identified as one of the actively exploited vulnerabilities highlighted in government summaries of Microsoft’s July 2026 release.
That supports a measured rollout rather than emergency isolation of every Office endpoint. It does not support skipping the update, particularly on systems used to review external submissions, customer documents, invoices, résumés, legal files, or email attachments.
For most organizations, internet-facing server vulnerabilities and confirmed zero-days from the same Patch Tuesday release will rank higher in the immediate deployment queue. CVE-2026-55042 should follow closely through the normal workstation and Mac update rings, with higher priority assigned to users who routinely process untrusted Office documents.
The next meaningful signal will be whether Microsoft revises the advisory with application-specific details, acknowledges public disclosure, or changes its exploitation assessment. Until then, the defensible endpoint state is straightforward: install the July 14, 2026 Office security updates and verify the resulting build rather than relying solely on an update console’s success message.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: www2.gov.bc.ca
  4. Related coverage: techradar.com
  5. Related coverage: windowscentral.com
 

Back
Top