CVE-2026-55045 allows code execution through an out-of-bounds read in Microsoft Office, but its CVSS 3.1 vector classifies the attack path as local rather than network-based. The apparent contradiction comes from Microsoft’s use of remote code execution to describe the security impact, while CVSS uses Attack Vector to describe how the vulnerable component must be reached.
Published in Microsoft’s July 14, 2026 security release, the flaw carries a CVSS base score of 8.4 and the vector
In practical terms, CVE-2026-55045 may let an attacker who is not physically sitting at the computer cause arbitrary code to run there. However, exploitation must ultimately be triggered through a local execution or file-processing path rather than by sending packets directly to a listening Office service.
Microsoft classifies the vulnerability as remote code execution because a successful exploit can result in attacker-controlled code running on another person’s system. The company notes that this type of impact can also be called arbitrary code execution, or ACE.
That label does not automatically require
An Office document parser, by contrast, ordinarily processes content on the target computer. An attacker might deliver malicious content from elsewhere, but Office must encounter and process that content locally for the underlying bug to be reached. The vulnerability is therefore scored relative to the Office component that performs the vulnerable operation, not the geographic route used to deliver the file or content.
FIRST’s CVSS guidance explicitly allows a Local attack vector when an attacker relies on read, write, or execute capabilities on the target, including cases where the attacker reaches the machine remotely or malicious content is processed locally. The word “local” consequently does not mean that an attacker must have physical keyboard access.
This distinction produces security advisories that sound inconsistent in ordinary English:
The Full Vector Matters More Than
Reading only the Attack Vector can understate the risk. Microsoft assigned CVE-2026-55045 a score of 8.4, placing it in the High range, because the rest of the vector describes a comparatively severe exploitation outcome.
The
Finally,
CISA’s initial Stakeholder-Specific Vulnerability Categorization data lists no known exploitation and describes the vulnerability as not readily automatable, while assigning it a total technical impact. That assessment can change if exploit research or active attacks emerge.
An out-of-bounds read is often associated with crashes or information disclosure rather than direct code execution. In some circumstances, however, exposed memory can reveal addresses or internal state needed to defeat protections such as Address Space Layout Randomization. It may also form part of a broader memory-safety failure that Microsoft has determined can lead to attacker-controlled execution.
The public advisory does not provide a proof of concept, the affected Office file format, or a detailed exploitation chain. It is therefore not possible from the published record alone to say whether the flaw is triggered by document parsing, background conversion, server-side processing, or another Office component.
That absence of detail is normal for a newly released Microsoft vulnerability, particularly when publishing a reliable trigger would help attackers construct malicious files. It also means defensive teams should avoid narrowing their exposure assessment to Word or Excel unless Microsoft subsequently identifies a specific application.
The National Vulnerability Database currently repeats Microsoft’s concise description: an out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. NVD had not completed its own enrichment when the record was published on July 14.
Server administrators should not overlook the SharePoint exposure. The CVE record includes SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, reflecting the use of shared Office components in Microsoft’s on-premises collaboration stack.
For SharePoint Server Subscription Edition, Microsoft released KB5002882, build
SharePoint Server 2016 updates move affected installations to build
Microsoft 365 Apps, Office 2019, and LTSC administrators should use their normal Office update-channel controls and confirm that July 2026 security builds have actually reached endpoints. Merely approving Windows cumulative updates does not guarantee that every Click-to-Run Office installation has advanced to a fixed build.
Administrators should deploy the July 14 Office and SharePoint updates, verify Office build compliance across update channels, and test SharePoint prerequisites before farm-wide installation. Email filtering, Protected View, endpoint detection, and restrictions on untrusted Office content remain useful layers, but they should not be treated as substitutes for the vendor fix.
The terminology is awkward, but the operational message is straightforward: the attacker may be remote even though the vulnerable code is reached locally. Until Microsoft publishes a more detailed exploitation scenario, CVE-2026-55045 should be handled as a high-impact Office code-execution vulnerability rather than dismissed because its CVSS vector begins with
Published in Microsoft’s July 14, 2026 security release, the flaw carries a CVSS base score of 8.4 and the vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Microsoft’s Security Response Center says the word remote in the title refers to the attacker’s location, not to a network protocol exposed by Office.In practical terms, CVE-2026-55045 may let an attacker who is not physically sitting at the computer cause arbitrary code to run there. However, exploitation must ultimately be triggered through a local execution or file-processing path rather than by sending packets directly to a listening Office service.
“Remote” Describes the Result, Not the CVSS Path
Microsoft classifies the vulnerability as remote code execution because a successful exploit can result in attacker-controlled code running on another person’s system. The company notes that this type of impact can also be called arbitrary code execution, or ACE.That label does not automatically require
AV:N, the CVSS value for a Network attack vector. Under the CVSS 3.1 specification maintained by FIRST, AV:N applies when the vulnerable component is reachable through the network stack and can be attacked at the protocol level across one or more network hops.An Office document parser, by contrast, ordinarily processes content on the target computer. An attacker might deliver malicious content from elsewhere, but Office must encounter and process that content locally for the underlying bug to be reached. The vulnerability is therefore scored relative to the Office component that performs the vulnerable operation, not the geographic route used to deliver the file or content.
FIRST’s CVSS guidance explicitly allows a Local attack vector when an attacker relies on read, write, or execute capabilities on the target, including cases where the attacker reaches the machine remotely or malicious content is processed locally. The word “local” consequently does not mean that an attacker must have physical keyboard access.
This distinction produces security advisories that sound inconsistent in ordinary English:
- The attacker can be remote from the victim.
- The malicious input can originate outside the organization.
- The vulnerable Office component is not attacked directly over a network protocol.
- The exploit reaches that component only when something on the target machine processes or executes the input.
The Full Vector Matters More Than AV:L
Reading only the Attack Vector can understate the risk. Microsoft assigned CVE-2026-55045 a score of 8.4, placing it in the High range, because the rest of the vector describes a comparatively severe exploitation outcome.AC:L means Microsoft considers the attack complexity low. The attacker does not need unusual conditions or a difficult race to reach the vulnerable behavior, based on the currently published assessment.PR:N means the attacker needs no existing privileges in the vulnerable component before exploitation. That is different from saying the attacker can reach Office directly from the internet; it means the exploit itself does not depend on an authenticated Office or local user account with established permissions.The
UI:N rating says successful exploitation does not require participation from a separate user under Microsoft’s scored scenario. This is an important detail because many document-based Office vulnerabilities receive UI:R when a victim must explicitly open a malicious attachment. Microsoft has not published enough technical detail to establish the precise trigger for CVE-2026-55045, so administrators should not assume that the only possible route is a conventional phishing attachment that somebody double-clicks.Finally,
C:H/I:H/A:H indicates high potential impact to confidentiality, integrity, and availability. Successful exploitation could therefore expose data, permit modification of data or system state, and disrupt the affected component.CISA’s initial Stakeholder-Specific Vulnerability Categorization data lists no known exploitation and describes the vulnerability as not readily automatable, while assigning it a total technical impact. That assessment can change if exploit research or active attacks emerge.
An Out-of-Bounds Read With Code-Execution Impact
Microsoft identifies the underlying weakness as CWE-125, an out-of-bounds read. This occurs when software reads memory beyond the intended boundary of a buffer or other allocated region.An out-of-bounds read is often associated with crashes or information disclosure rather than direct code execution. In some circumstances, however, exposed memory can reveal addresses or internal state needed to defeat protections such as Address Space Layout Randomization. It may also form part of a broader memory-safety failure that Microsoft has determined can lead to attacker-controlled execution.
The public advisory does not provide a proof of concept, the affected Office file format, or a detailed exploitation chain. It is therefore not possible from the published record alone to say whether the flaw is triggered by document parsing, background conversion, server-side processing, or another Office component.
That absence of detail is normal for a newly released Microsoft vulnerability, particularly when publishing a reliable trigger would help attackers construct malicious files. It also means defensive teams should avoid narrowing their exposure assessment to Word or Excel unless Microsoft subsequently identifies a specific application.
The National Vulnerability Database currently repeats Microsoft’s concise description: an out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. NVD had not completed its own enrichment when the record was published on July 14.
The Patch Reaches Beyond Desktop Office
The affected-product record includes Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 on Windows. Microsoft also lists Microsoft 365 and LTSC editions for Mac, with affected Mac releases below version16.111.26071215.Server administrators should not overlook the SharePoint exposure. The CVE record includes SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, reflecting the use of shared Office components in Microsoft’s on-premises collaboration stack.
For SharePoint Server Subscription Edition, Microsoft released KB5002882, build
16.0.19725.20434, as part of the July security release. Microsoft’s support documentation says farms using SharePoint Workflow Manager must install KB5002799 before applying that cumulative update, while Classic Workflow Manager deployments require an additional server debug flag to continue operating.SharePoint Server 2016 updates move affected installations to build
16.0.5561.1001. Office 2016 installations below 16.0.5561.1000 are included in Microsoft’s affected-product data, although administrators must still distinguish MSI-based Office installations from Click-to-Run deployments when selecting and verifying updates.Microsoft 365 Apps, Office 2019, and LTSC administrators should use their normal Office update-channel controls and confirm that July 2026 security builds have actually reached endpoints. Merely approving Windows cumulative updates does not guarantee that every Click-to-Run Office installation has advanced to a fixed build.
Patch as a Code-Execution Risk, Not a Local Privilege Bug
TheAV:L rating should not push CVE-2026-55045 to the bottom of a deployment queue. This is not described as a privilege-escalation flaw that becomes useful only after an attacker has already established local access. It is an Office content-processing vulnerability with no privileges or user interaction required in Microsoft’s CVSS scenario and with high impact across all three security categories.Administrators should deploy the July 14 Office and SharePoint updates, verify Office build compliance across update channels, and test SharePoint prerequisites before farm-wide installation. Email filtering, Protected View, endpoint detection, and restrictions on untrusted Office content remain useful layers, but they should not be treated as substitutes for the vendor fix.
The terminology is awkward, but the operational message is straightforward: the attacker may be remote even though the vulnerable code is reached locally. Until Microsoft publishes a more detailed exploitation scenario, CVE-2026-55045 should be handled as a high-impact Office code-execution vulnerability rather than dismissed because its CVSS vector begins with
AV:L.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Office 2016: July 14, 2026 (KB5002273) | Microsoft Support
Description of the security update for Office 2016: July 14, 2026 (KB5002273)support.microsoft.com