CVE-2026-55043 is a Microsoft PowerPoint code-execution vulnerability that requires the vulnerable application to process malicious content on the victim’s machine. Its CVSS 3.1 vector begins with
Microsoft published the flaw on July 14, 2026, as part of its monthly security release. The Microsoft Security Response Center rates it Critical, while its CVSS 3.1 base score is 7.8, or High:
That vector tells administrators more about the actual attack than the three-letter RCE label. Exploitation has low complexity, requires no existing privileges, and depends on user interaction. If successful, it can have a high impact on confidentiality, integrity, and availability.
The apparent contradiction comes from two classification systems answering different questions.
Microsoft’s “Remote Code Execution” title describes the vulnerability’s impact class and threat scenario. An attacker who is not already sitting at the targeted computer can prepare malicious content, deliver it to another person, and potentially gain arbitrary code execution when that content is handled locally.
CVSS Attack Vector, by contrast, describes how exploitation reaches the vulnerable component. FIRST, which maintains CVSS, defines
PowerPoint is a desktop document processor, not a network service listening for hostile packets. The vulnerable parsing operation therefore occurs inside the local PowerPoint process after the presentation or associated content reaches the computer. Email, cloud storage, Microsoft Teams, a web download, or a USB drive might deliver that content, but none of those delivery channels automatically turns the PowerPoint flaw itself into
Microsoft addresses this distinction directly in its advisory. The company says “Remote” refers to the attacker’s location, while the exploit is carried out locally because the attacker or victim must execute code from the local machine. Microsoft also notes that this class of issue may be described more generically as Arbitrary Code Execution, or ACE.
In practical terms, this is not the same threat model as an unauthenticated vulnerability in Remote Desktop Protocol, SharePoint Server, or a DHCP service. An attacker cannot simply connect to PowerPoint across the network and trigger CVE-2026-55043. A local application action must complete the chain.
This is a recurring source of confusion in Office advisories. Security teams sometimes read “local” as synonymous with post-compromise privilege escalation, where malware is already running on the device. CVSS uses the term more broadly: opening or otherwise processing an attacker-supplied document in a local application can qualify when the vulnerable operation is not conducted through a network protocol.
The reverse misunderstanding is equally risky. “Remote Code Execution” does not always mean a remotely reachable, no-click path. The label alone does not establish whether exploitation can cross the internet directly, requires authentication, or needs a victim to open a file. Those details live in the CVSS metrics and the vendor’s exploitation notes.
Such memory-safety defects can occur when an application calculates a size incorrectly or writes more data into a heap allocation than the allocation can hold. A crash may be the most visible result, but controlled memory corruption can sometimes be developed into execution of attacker-chosen code.
Successful code would ordinarily run with the rights of the person using PowerPoint. That distinction matters on managed Windows devices: a standard user account can limit immediate system-wide damage, while a user operating with administrative privileges gives malicious code a more powerful initial context. Even under a standard account, however, document access, browser sessions, cloud credentials, and reachable corporate resources can remain exposed.
The Zero Day Initiative’s July 2026 update review lists CVE-2026-55043 as neither publicly disclosed nor exploited in the wild at release time. That status reduces evidence of immediate active targeting, but it does not eliminate the need to patch; Office documents are common phishing payloads, and memory-corruption fixes can become easier to study after updates are distributed.
For PowerPoint 2016 on Windows, the CVE data identifies versions earlier than 16.0.5561.1000 as affected. Microsoft’s July 2026 Office update catalog points administrators to KB5002867 for the PowerPoint 2016 security update.
On macOS, affected Office installations must be updated to version 16.111.26071215 or later. Microsoft 365 Apps and newer perpetual Office releases follow their respective servicing channels, so administrators should verify that devices have received the July 14 security release rather than relying only on the presence of an Office product version.
Enterprises should also check machines that do not remain online long enough for Click-to-Run servicing, non-persistent virtual desktops, unmanaged Mac installations, and older Office 2016 deployments using MSI-based updates. Email filtering and Protected View remain useful layers, but they are not substitutes for correcting the vulnerable PowerPoint code.
CVE-2026-55043 is therefore both local and remote in defensible—but different—senses. The attacker may deliver the malicious presentation from elsewhere, while exploitation occurs only when PowerPoint processes it on the endpoint. For triage,
AV:L, but Microsoft still calls it a Remote Code Execution vulnerability because remote describes the attacker’s position and intended outcome—not a network-facing exploitation path.Microsoft published the flaw on July 14, 2026, as part of its monthly security release. The Microsoft Security Response Center rates it Critical, while its CVSS 3.1 base score is 7.8, or High:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.That vector tells administrators more about the actual attack than the three-letter RCE label. Exploitation has low complexity, requires no existing privileges, and depends on user interaction. If successful, it can have a high impact on confidentiality, integrity, and availability.
“Remote” and AV:L Measure Different Things
The apparent contradiction comes from two classification systems answering different questions.Microsoft’s “Remote Code Execution” title describes the vulnerability’s impact class and threat scenario. An attacker who is not already sitting at the targeted computer can prepare malicious content, deliver it to another person, and potentially gain arbitrary code execution when that content is handled locally.
CVSS Attack Vector, by contrast, describes how exploitation reaches the vulnerable component. FIRST, which maintains CVSS, defines
AV:L as a case where the component is not directly exploitable through the network stack and the attack path instead involves local read, write, or execution capabilities.PowerPoint is a desktop document processor, not a network service listening for hostile packets. The vulnerable parsing operation therefore occurs inside the local PowerPoint process after the presentation or associated content reaches the computer. Email, cloud storage, Microsoft Teams, a web download, or a USB drive might deliver that content, but none of those delivery channels automatically turns the PowerPoint flaw itself into
AV:N.Microsoft addresses this distinction directly in its advisory. The company says “Remote” refers to the attacker’s location, while the exploit is carried out locally because the attacker or victim must execute code from the local machine. Microsoft also notes that this class of issue may be described more generically as Arbitrary Code Execution, or ACE.
In practical terms, this is not the same threat model as an unauthenticated vulnerability in Remote Desktop Protocol, SharePoint Server, or a DHCP service. An attacker cannot simply connect to PowerPoint across the network and trigger CVE-2026-55043. A local application action must complete the chain.
The CVSS Vector Reveals the Real Attack Chain
The rest of Microsoft’s vector makes the expected scenario clearer:AC:Lmeans Microsoft does not identify unusually difficult preparation or race conditions as prerequisites.PR:Nmeans the attacker does not need an account or existing privileges on the target system before beginning the attack.UI:Rmeans another person must take an action that allows PowerPoint to process the malicious content.S:Umeans the security authority affected by exploitation remains within the vulnerable component’s existing scope.C:H/I:H/A:Hindicates potentially severe effects on data confidentiality, data integrity, and system availability.
AV:L with UI:R. It describes a client-side attack in which content must arrive at the endpoint and a user must interact with it. The local vector does not mean the attacker must already have an interactive desktop session, physical access, or a compromised Windows account.This is a recurring source of confusion in Office advisories. Security teams sometimes read “local” as synonymous with post-compromise privilege escalation, where malware is already running on the device. CVSS uses the term more broadly: opening or otherwise processing an attacker-supplied document in a local application can qualify when the vulnerable operation is not conducted through a network protocol.
The reverse misunderstanding is equally risky. “Remote Code Execution” does not always mean a remotely reachable, no-click path. The label alone does not establish whether exploitation can cross the internet directly, requires authentication, or needs a victim to open a file. Those details live in the CVSS metrics and the vendor’s exploitation notes.
A Heap Overflow Sits Behind the PowerPoint Label
The CVE record describes CVE-2026-55043 as a heap-based buffer overflow in Microsoft Office PowerPoint. It also associates the flaw with CWE-122, for heap-based buffer overflows, and CWE-190, for integer overflow or wraparound.Such memory-safety defects can occur when an application calculates a size incorrectly or writes more data into a heap allocation than the allocation can hold. A crash may be the most visible result, but controlled memory corruption can sometimes be developed into execution of attacker-chosen code.
Successful code would ordinarily run with the rights of the person using PowerPoint. That distinction matters on managed Windows devices: a standard user account can limit immediate system-wide damage, while a user operating with administrative privileges gives malicious code a more powerful initial context. Even under a standard account, however, document access, browser sessions, cloud credentials, and reachable corporate resources can remain exposed.
The Zero Day Initiative’s July 2026 update review lists CVE-2026-55043 as neither publicly disclosed nor exploited in the wild at release time. That status reduces evidence of immediate active targeting, but it does not eliminate the need to patch; Office documents are common phishing payloads, and memory-corruption fixes can become easier to study after updates are distributed.
PowerPoint Updates Close the Local Execution Path
Microsoft lists affected products across its current Office estate, including Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, PowerPoint 2016, Office 365 for Mac, and the Mac editions of Office LTSC 2021 and 2024.For PowerPoint 2016 on Windows, the CVE data identifies versions earlier than 16.0.5561.1000 as affected. Microsoft’s July 2026 Office update catalog points administrators to KB5002867 for the PowerPoint 2016 security update.
On macOS, affected Office installations must be updated to version 16.111.26071215 or later. Microsoft 365 Apps and newer perpetual Office releases follow their respective servicing channels, so administrators should verify that devices have received the July 14 security release rather than relying only on the presence of an Office product version.
Enterprises should also check machines that do not remain online long enough for Click-to-Run servicing, non-persistent virtual desktops, unmanaged Mac installations, and older Office 2016 deployments using MSI-based updates. Email filtering and Protected View remain useful layers, but they are not substitutes for correcting the vulnerable PowerPoint code.
CVE-2026-55043 is therefore both local and remote in defensible—but different—senses. The attacker may deliver the malicious presentation from elsewhere, while exploitation occurs only when PowerPoint processes it on the endpoint. For triage,
AV:L/UI:R is the actionable description: patch PowerPoint, keep document-handling protections enabled, and treat unexpected presentations as untrusted even though no network-facing PowerPoint service is exposed.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: microsoft.com
More information about the DLL Preloading remote attack vector
www.microsoft.com