Microsoft’s July 14, 2026 security release fixes CVE-2026-55047, an Important-rated information-disclosure vulnerability affecting Microsoft 365 Apps, perpetual Office releases, Office for Mac, and supported on-premises SharePoint Server editions. Administrators should update affected installations because successful exploitation could expose sensitive information from Office memory, although the attack requires local access and user interaction.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the flaw is an out-of-bounds read tracked as CWE-125. Microsoft assigned it a CVSS 3.1 base score of 5.5, while the National Vulnerability Database was still enriching its independent record on July 15.
CVE-2026-55047 arrived as part of an unusually large July Patch Tuesday. BleepingComputer counted 570 Microsoft vulnerabilities in the release, including more than 100 information-disclosure bugs, making precise product inventories and deployment tracking especially important this month.
Microsoft’s CVSS vector is
The successful attack does not cross into another security authority, modify data, or interrupt service. Its measured impact is entirely on confidentiality, but Microsoft rates that potential confidentiality loss as high. In practical terms, the weakness could allow data outside the intended memory boundary to be read and disclosed.
An out-of-bounds read occurs when software retrieves memory beyond the buffer or object that it was supposed to access. The result can include fragments of documents, application state, pointers, credentials, or other process data, although Microsoft has not publicly specified exactly what information CVE-2026-55047 can expose.
That distinction matters. This is not described as a remote-code-execution vulnerability, and Microsoft’s scoring does not indicate that an attacker can use it directly to alter Office files or take control of a machine. Information leaks can nevertheless become valuable components in a longer exploit chain, particularly when leaked memory helps an attacker understand application state or defeat mitigations protecting another vulnerability.
The “local” classification should not be read as meaning that an attacker must already have an interactive account on the target PC. In CVSS, local attacks can include scenarios in which a victim is persuaded to open or otherwise process attacker-controlled content. Microsoft has not published enough technical detail to identify the exact delivery path, file format, or Office component involved, so organizations should avoid inventing document-specific detection rules around the limited public description.
Affected products include:
For SharePoint Server Subscription Edition, Microsoft packages the correction in the July 14 security update KB5002882, build 16.0.19725.20434. Microsoft says that update is available through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
KB5002882 is cumulative and resolves many vulnerabilities beyond CVE-2026-55047. It also fixes a problem that prevented SharePoint 2010 workflows from starting after the June 2026 update, but introduces deployment details that administrators need to review rather than treating the package as a simple single-CVE hotfix.
Microsoft warns organizations using SharePoint Workflow Manager to install KB5002799 before KB5002882. Farms still using the Classic version of Workflow Manager must enable a documented server debug flag to continue using it. Microsoft also directs administrators to change a farm setting after running PSConfig because a defense-in-depth actor-token validation feature can cause a regression; the company says existing actor-token checks remain in place.
Those instructions make testing and post-installation validation essential. SharePoint teams should verify farm build levels, confirm that the configuration wizard or PSConfig completes successfully, test workflows, and review Upgrade Status and relevant Unified Logging System entries before declaring the deployment finished.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation for CVE-2026-55047 and assessed the attack as not readily automatable, with partial technical impact. As of July 15, the vulnerability was not identified among the actively exploited zero-days highlighted in broader reporting on Microsoft’s July release.
That gives administrators room to follow controlled change-management procedures, but it is not a reason to defer the update indefinitely. The vulnerability requires user interaction, has no integrity or availability impact in Microsoft’s scoring, and carries a Medium CVSS score, yet Microsoft classifies it as Important because the exposed information could be sensitive and the affected product footprint is extensive.
Public technical detail remains sparse. Microsoft has confirmed the out-of-bounds read and published affected-version boundaries, but it has not disclosed the malformed object, vulnerable parser, leaked data type, or reliable indicators of exploitation. NVD had also not assigned its own CVSS analysis by July 15, displaying Microsoft’s score while its record remained under enrichment.
Security teams should pay particular attention to endpoints that routinely process untrusted documents: help desks, recruitment teams, finance departments, legal staff, shared workstations, and systems used for document conversion or content review. Existing controls that restrict unsolicited attachments and isolate untrusted files still provide useful defensive layers, but Microsoft has not documented a complete workaround that replaces patching.
Perpetual Office installations require closer inventory work because Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 do not necessarily follow the same servicing path. An organization that reports “Office is patched” based solely on its Microsoft 365 Apps dashboard may miss fixed-version installations deployed through MSI packages or separate enterprise software-distribution tooling.
SharePoint Server deserves its own change ticket and verification plan. Administrators should confirm that every server in the farm reaches the required build, complete the necessary configuration phase, and account for the workflow and actor-token instructions attached to the July cumulative packages.
CVE-2026-55047 is not the loudest vulnerability in July’s release, but its footprint makes it easy to leave gaps. The concrete target is straightforward: bring Office 2016 to at least 16.0.5561.1000, Office for Mac to at least 16.111.26071215, and each supported SharePoint edition to Microsoft’s July 14 build before normal document handling resumes on systems that missed the initial rollout.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the flaw is an out-of-bounds read tracked as CWE-125. Microsoft assigned it a CVSS 3.1 base score of 5.5, while the National Vulnerability Database was still enriching its independent record on July 15.
CVE-2026-55047 arrived as part of an unusually large July Patch Tuesday. BleepingComputer counted 570 Microsoft vulnerabilities in the release, including more than 100 information-disclosure bugs, making precise product inventories and deployment tracking especially important this month.
A Local Attack With a High Confidentiality Cost
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. That compact string describes a vulnerability that is locally exploitable, has low attack complexity, requires no existing privileges, and depends on a user taking some action.The successful attack does not cross into another security authority, modify data, or interrupt service. Its measured impact is entirely on confidentiality, but Microsoft rates that potential confidentiality loss as high. In practical terms, the weakness could allow data outside the intended memory boundary to be read and disclosed.
An out-of-bounds read occurs when software retrieves memory beyond the buffer or object that it was supposed to access. The result can include fragments of documents, application state, pointers, credentials, or other process data, although Microsoft has not publicly specified exactly what information CVE-2026-55047 can expose.
That distinction matters. This is not described as a remote-code-execution vulnerability, and Microsoft’s scoring does not indicate that an attacker can use it directly to alter Office files or take control of a machine. Information leaks can nevertheless become valuable components in a longer exploit chain, particularly when leaked memory helps an attacker understand application state or defeat mitigations protecting another vulnerability.
The “local” classification should not be read as meaning that an attacker must already have an interactive account on the target PC. In CVSS, local attacks can include scenarios in which a victim is persuaded to open or otherwise process attacker-controlled content. Microsoft has not published enough technical detail to identify the exact delivery path, file format, or Office component involved, so organizations should avoid inventing document-specific detection rules around the limited public description.
The Affected List Reaches Beyond Windows Desktops
The CVE record identifies a broad set of Office products rather than one named application such as Word or Excel. Both 32-bit and 64-bit Windows installations are affected where applicable, and the product list extends to macOS and SharePoint Server.Affected products include:
- Microsoft 365 Apps for enterprise on 32-bit and 64-bit Windows systems requires the applicable July Office security release.
- Microsoft Office 2016 must be updated to version 16.0.5561.1000 or later.
- Microsoft Office 2019 requires the applicable supported security release.
- Microsoft Office LTSC 2021 and Office LTSC 2024 require their corresponding July updates.
- Microsoft 365 and Office 365 for Mac must be updated to version 16.111.26071215 or later.
- Office LTSC for Mac 2021 and Office LTSC for Mac 2024 must also reach version 16.111.26071215 or later.
- SharePoint Enterprise Server 2016 must be updated to build 16.0.5561.1001 or later.
- SharePoint Server 2019 must be updated to build 16.0.10417.20175 or later.
- SharePoint Server Subscription Edition must be updated to build 16.0.19725.20434 or later.
For SharePoint Server Subscription Edition, Microsoft packages the correction in the July 14 security update KB5002882, build 16.0.19725.20434. Microsoft says that update is available through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
KB5002882 is cumulative and resolves many vulnerabilities beyond CVE-2026-55047. It also fixes a problem that prevented SharePoint 2010 workflows from starting after the June 2026 update, but introduces deployment details that administrators need to review rather than treating the package as a simple single-CVE hotfix.
Microsoft warns organizations using SharePoint Workflow Manager to install KB5002799 before KB5002882. Farms still using the Classic version of Workflow Manager must enable a documented server debug flag to continue using it. Microsoft also directs administrators to change a farm setting after running PSConfig because a defense-in-depth actor-token validation feature can cause a regression; the company says existing actor-token checks remain in place.
Those instructions make testing and post-installation validation essential. SharePoint teams should verify farm build levels, confirm that the configuration wizard or PSConfig completes successfully, test workflows, and review Upgrade Status and relevant Unified Logging System entries before declaring the deployment finished.
“Confirmed” Describes Evidence, Not Active Exploitation
The supplied report-confidence metric can easily be mistaken for an exploitability warning. In Microsoft’s advisory terminology, a “Confirmed” report-confidence value means the vendor acknowledges the vulnerability and considers the underlying evidence credible. It does not mean attacks have been confirmed in the wild.CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation for CVE-2026-55047 and assessed the attack as not readily automatable, with partial technical impact. As of July 15, the vulnerability was not identified among the actively exploited zero-days highlighted in broader reporting on Microsoft’s July release.
That gives administrators room to follow controlled change-management procedures, but it is not a reason to defer the update indefinitely. The vulnerability requires user interaction, has no integrity or availability impact in Microsoft’s scoring, and carries a Medium CVSS score, yet Microsoft classifies it as Important because the exposed information could be sensitive and the affected product footprint is extensive.
Public technical detail remains sparse. Microsoft has confirmed the out-of-bounds read and published affected-version boundaries, but it has not disclosed the malformed object, vulnerable parser, leaked data type, or reliable indicators of exploitation. NVD had also not assigned its own CVSS analysis by July 15, displaying Microsoft’s score while its record remained under enrichment.
Patch Priority Depends on Where Office Data Lives
For managed Windows endpoints, the first task is to verify that Microsoft 365 Apps update policies are actually advancing devices to a release containing the July fixes. Devices pinned to delayed channels, left offline, excluded from deployment rings, or failing Click-to-Run servicing can remain exposed after the organization approves the update centrally.Security teams should pay particular attention to endpoints that routinely process untrusted documents: help desks, recruitment teams, finance departments, legal staff, shared workstations, and systems used for document conversion or content review. Existing controls that restrict unsolicited attachments and isolate untrusted files still provide useful defensive layers, but Microsoft has not documented a complete workaround that replaces patching.
Perpetual Office installations require closer inventory work because Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 do not necessarily follow the same servicing path. An organization that reports “Office is patched” based solely on its Microsoft 365 Apps dashboard may miss fixed-version installations deployed through MSI packages or separate enterprise software-distribution tooling.
SharePoint Server deserves its own change ticket and verification plan. Administrators should confirm that every server in the farm reaches the required build, complete the necessary configuration phase, and account for the workflow and actor-token instructions attached to the July cumulative packages.
CVE-2026-55047 is not the loudest vulnerability in July’s release, but its footprint makes it easy to leave gaps. The concrete target is straightforward: bring Office 2016 to at least 16.0.5561.1000, Office for Mac to at least 16.111.26071215, and each supported SharePoint edition to Microsoft’s July 14 build before normal document handling resumes on systems that missed the initial rollout.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: techradar.com
Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files | TechRadar
Microsoft forced to issue an emergency patchwww.techradar.com - Official source: support.microsoft.com
Description of the security update for SharePoint Server Subscription Edition: July 14, 2026 (KB5002882) | Microsoft Support
Description of the security update for SharePoint Server Subscription Edition: July 14, 2026 (KB5002882)support.microsoft.com