CVE-2026-55049: Patch Critical Microsoft Office RCE Flaw

CVE-2026-55049 is a critical Microsoft Office code-execution vulnerability that requires malicious content to be processed on the target device, despite Microsoft calling it a “Remote Code Execution Vulnerability.” The apparent contradiction comes from two security terms describing different parts of the attack: remote code execution identifies the attacker and outcome, while CVSS Attack Vector: Local identifies where the vulnerable operation occurs.
Microsoft published the vulnerability on July 14, 2026, as part of its July Office security updates. The Microsoft Security Response Center describes it as a heap-based buffer overflow that could allow an unauthorized attacker to execute code, while the CVSS 3.1 vector rates it at 7.8: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
In practical terms, this is not a network-service vulnerability that can be triggered simply by sending packets to an exposed port. An attacker must instead persuade a user to open or otherwise process malicious content locally in Microsoft Office.

Infographic showing a malicious document exploiting a parser heap overflow to execute arbitrary code.“Remote” Describes Who Controls the Code​

Microsoft’s title uses “remote code execution” to indicate that an attacker located elsewhere can ultimately cause attacker-controlled code to run on the victim’s computer. The attacker does not need to be physically present, logged on interactively, or already operating through a local account.
A weaponized Office document might be delivered by email, downloaded from a website, transferred through Microsoft Teams, or placed in a shared storage location. Once the victim opens the file and Office processes its malicious data, the vulnerable code path executes on that computer.
That distinction is why Microsoft notes that this class of weakness is also sometimes called arbitrary code execution, or ACE. RCE is the familiar impact category, but it does not necessarily mean that the vulnerable application accepts the exploit directly over a network connection.
The outcome remains serious. Successful exploitation could let the attacker run code within the security context of the user running Office, potentially exposing documents and credentials or allowing malware installation. The CVSS vector assigns high impact to confidentiality, integrity, and availability.

CVSS Scores the Exploit’s Point of Entry​

The AV:L component does not describe the attacker’s physical location. It describes the access path needed to reach the vulnerable component under the CVSS rules maintained by the Forum of Incident Response and Security Teams.
FIRST’s CVSS guidance treats content-processing vulnerabilities as local when malicious data must first reach the device and then be opened, loaded, or executed there. The vulnerable Office parser is not being attacked across the network as a listening service; it encounters the exploit while processing content on the endpoint.
That differs from a vulnerability marked AV:N, or Attack Vector: Network. A network-vector flaw can be exploited by interacting with the vulnerable component through the network stack, potentially across routers and the public internet. Vulnerable web servers, remote-management services, and network protocols are common examples.
CVE-2026-55049’s remaining metrics reinforce the document-driven model:
  • AC:L means Microsoft considers the attack complexity low once the required conditions are present.
  • PR:N means the attacker does not need prior privileges on the target system.
  • UI:R means another user must perform an action for exploitation to succeed.
  • S:U means the security authority affected by exploitation remains unchanged.
  • C:H/I:H/A:H represents potentially high impact to confidentiality, integrity, and availability.
The combination of AV:L and UI:R is therefore important. It indicates that a user or user-initiated process must participate, rather than Office being silently compromised through an unsolicited network request.

A Heap Overflow Turns a File into Code​

The underlying weakness is classified as CWE-122, a heap-based buffer overflow. This occurs when software writes more data into a heap-allocated memory buffer than the buffer can hold, potentially corrupting nearby memory.
MITRE’s CWE documentation notes that heap overflows often cause application crashes, but carefully controlled corruption can also alter function pointers or other runtime structures. That can redirect execution into attacker-controlled instructions, converting a malformed document from passive data into a code-execution mechanism.
Microsoft has not publicly documented the precise Office file format, parser, or exploit sequence involved in CVE-2026-55049. The available advisory therefore supports a general attack model rather than proof that every affected Office application can be exploited through every document format.
The absence of those technical details is normal for newly released Microsoft security fixes. It limits immediate defensive signatures based on a specific file structure, however, making patch deployment and established attachment controls more dependable than trying to identify one known exploit pattern.
The Zero Day Initiative’s July 2026 security update review lists CVE-2026-55049 as critical, with no public disclosure and no known exploitation at release. That status can change as researchers compare patched and unpatched Office binaries, so administrators should not treat the lack of observed attacks on July 14 as evidence that exploitation will remain impractical.

The Affected Office Footprint Is Broad​

The CVE record covers Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 on Windows. Microsoft also lists Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024.
For Office 2016, the CVE data identifies versions earlier than 16.0.5561.1000 as affected. The patched Mac release is identified as version 16.111.26071215. Click-to-Run products use Microsoft’s Office security-release servicing information rather than one universal fixed build across every update channel.
Microsoft’s July 2026 Office update catalog includes multiple component-specific packages for Office 2016, including updates associated with Excel, Word, PowerPoint, the Visual Basic for Applications runtime, and shared Office components. Administrators managing MSI installations should inventory the installed Office components rather than assuming that one Windows cumulative update covers the suite.
Microsoft 365 Apps deployments should verify that clients have received the relevant Office build through their assigned update channel. Configuration Manager, Intune, Microsoft 365 Apps admin center inventory, or another endpoint-management platform can identify machines that have stopped updating or remain pinned to an older build.
Because CVE-2026-55049 also affects macOS editions, Windows patch compliance alone is not sufficient for organizations with mixed fleets. Mac update enforcement and version reporting need to be included in the same remediation effort.

Patch the Parser and Keep the Delivery Controls​

Email filtering, Microsoft Defender protections, Protected View, Mark of the Web handling, and restrictions on untrusted Office content can reduce exposure to document-based attacks. They should remain in place, particularly where users regularly receive attachments from outside the organization.
Those measures do not replace the update. Files may arrive through cloud shares, collaboration platforms, USB storage, archives, or internal accounts that have already been compromised. Security prompts can also be dismissed, and trusted locations can turn into bypass routes if they are broadly configured.
Administrators should prioritize installing the July 14, 2026 Office security updates, confirm the resulting product versions, and investigate devices that fail to report current Office builds. Endpoint detections should also watch for Office applications spawning unusual child processes or writing executables into user-writable directories, although successful exploitation does not have to follow one predictable process chain.
The terminology is ultimately less contradictory than it first appears: the attacker can be remote, the malicious file can be delivered remotely, and the resulting code can be attacker-controlled, while the vulnerable Office operation still executes locally. For CVE-2026-55049, AV:L is a warning that user-mediated content processing is required—not an indication that an attacker must already have local access to the PC.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top