CVE-2026-55050: Patch Word Memory Leak With KB5002890

CVE-2026-55050 exposes information through an out-of-bounds read in Microsoft Word, affecting Microsoft 365 Apps, Office 2019, Office LTSC editions, Word 2016, Office for Mac, and Word components used by supported SharePoint Server releases. Microsoft fixed the vulnerability in its July 14, 2026 security updates and rates it Important, despite a moderate CVSS 3.1 base score of 5.5.
Detailed in the Microsoft Security Response Center advisory and corroborated by the National Vulnerability Database, the flaw requires an attacker to persuade a user to interact with malicious content. Successful exploitation can disclose data from memory, but it does not directly modify files, execute code, or disrupt the affected system.
Microsoft says the vulnerability was neither publicly disclosed nor exploited when the update shipped. Its exploitability assessment is Exploitation Unlikely, making CVE-2026-55050 less urgent than the actively exploited vulnerabilities in July’s unusually large Patch Tuesday release—but not one administrators should leave open indefinitely.

Cybersecurity scene showing Word documents, data transfer, warning signs, servers, and protective shields.A Memory Read Becomes a Confidentiality Problem​

CVE-2026-55050 is classified as CWE-125, an out-of-bounds read. This class of vulnerability appears when software reads beyond the intended boundary of a memory buffer, potentially returning data that the process was not supposed to expose.
In Word, the practical concern is that a specially crafted document or other malicious content could cause the application to reveal information from its memory. Microsoft’s CVSS vector assigns a high confidentiality impact while recording no integrity or availability impact. In other words, the vulnerability is about extracting information rather than changing data or crashing the application.
The attack is local in CVSS terms, but that designation should not be mistaken for requiring physical access or an existing account. The vector records no privileges required and user interaction required, which is consistent with a document-based attack in which a remote adversary delivers the content but needs the recipient to open or otherwise process it.
The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. Attack complexity is low, scope remains unchanged, and an attacker does not need authenticated access to the target system. The required user action is the main limiting factor.
Microsoft has marked the vulnerability’s report confidence as confirmed, indicating that the vendor has sufficient technical evidence to verify the flaw. That is different from saying exploitation has been observed: confirmation describes confidence in the vulnerability’s existence and technical details, while the exploitability fields describe current attacker activity and Microsoft’s estimate of likely weaponization.

Word’s Reach Extends Beyond the Desktop App​

The affected-product list makes CVE-2026-55050 broader than a single boxed copy of Word. According to the CVE record supplied by Microsoft, vulnerable products include:
  • Microsoft 365 Apps for Enterprise on 32-bit and 64-bit Windows systems is affected until the applicable Office security release is installed.
  • Microsoft Office 2019 on 32-bit and 64-bit systems is affected.
  • Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on both supported Windows architectures.
  • Microsoft Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 are affected before version 16.111.26071215.
  • Microsoft Word 2016 is affected before version 16.0.5561.1000.
  • SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition contain affected Word-related components.
The SharePoint entries matter because Office parsing technology is not confined to applications launched from the Windows Start menu. Microsoft’s July updates associate CVE-2026-55050 with SharePoint Server and Office Online Server packages, so administrators should not consider the issue remediated merely because managed Windows endpoints received Microsoft 365 Apps updates.
For Microsoft Word 2016, the dedicated fix is KB5002890. Microsoft says the update brings affected Word 2016 installations to version 16.0.5561.1000 and replaces the previously released KB5002879 update.
KB5002890 applies specifically to the Windows Installer, or MSI-based, edition of Word 2016. Microsoft notes that the standalone package does not apply to Click-to-Run installations such as Microsoft 365 Apps, which receive servicing through their configured Office update channel.
That distinction is important during compliance checks. Finding KB5002890 is a useful test for MSI-based Word 2016, but its absence does not prove that a Click-to-Run device remains vulnerable. Administrators must compare the installed Office version and update channel with Microsoft’s July 2026 Office security release data.

SharePoint Farms Need Their Own Patch Plan​

Microsoft’s affected-version data places SharePoint Enterprise Server 2016 installations before build 16.0.5561.1001 at risk. SharePoint Server 2019 is affected before build 16.0.10417.20175, while SharePoint Server Subscription Edition is affected before build 16.0.19725.20434.
The July package for SharePoint Server Subscription Edition is KB5002882. It addresses CVE-2026-55050 alongside a much larger group of SharePoint and Word vulnerabilities, including remote-code-execution, elevation-of-privilege, spoofing, information-disclosure, and security-feature-bypass flaws.
Deploying KB5002882 is not simply an endpoint-style install-and-reboot exercise. Microsoft instructs farms using SharePoint Workflow Manager to install KB5002799 first. Organizations still running the Classic version of Workflow Manager must also enable a specified farm debug flag to maintain workflow operation.
Microsoft documents an additional post-update consideration for SharePoint Server Subscription Edition. After running PSConfig, administrators are instructed to use PowerShell to disable a defense-in-depth actor-token audience validation feature that can cause a regression. Microsoft says the existing actor-token validation checks remain active, but the requirement adds another item to the deployment and validation runbook.
These operational notes are not caused solely by CVE-2026-55050, but they affect the package that closes it. SharePoint teams should therefore treat the July cumulative update as a farm change requiring prerequisite verification, configuration-database upgrade work, service validation, and testing of workflows and Office document handling.
Office Online Server also received KB5002884 in Microsoft’s July Office update set. Organizations using browser-based document viewing or editing should inventory that server role separately rather than assuming SharePoint patching automatically covers every Office component in the environment.

Moderate Score, Broad Deployment Surface​

A 5.5 CVSS score can easily fall behind critical remote-code-execution vulnerabilities in a busy maintenance cycle. That prioritization is rational: CVE-2026-55050 requires user interaction, is not remotely exploitable at the protocol level, and was not known to be under attack at publication.
Its high confidentiality impact nevertheless makes it relevant to systems where Word processes sensitive documents or where users routinely handle files from external parties. Legal, financial, government, healthcare, engineering, and incident-response environments may place greater weight on possible memory disclosure than the numerical score alone suggests.
Document vulnerabilities also benefit from a familiar delivery mechanism. An attacker does not need to introduce a new executable if malicious Office content can be sent through email, collaboration platforms, file-transfer portals, or compromised websites. Protected View, mail filtering, attachment sandboxing, and restrictions on files from untrusted locations remain useful layers, but they are not substitutes for correcting the vulnerable parser.
Microsoft’s Exploitation Unlikely rating means the company does not expect reliable exploitation to become common, not that exploitation is impossible. No public disclosure or observed attack was recorded when the advisory was published on July 14, 2026, and the National Vulnerability Database was still enriching its record one day later. Technical details or proof-of-concept work could still emerge after deployment decisions have been made.
For most organizations, the appropriate action is to include CVE-2026-55050 in the normal July Office and SharePoint rollout while accelerating coverage for users who open large volumes of externally supplied documents. Endpoint teams should verify Microsoft 365 Apps servicing status, MSI-based Word 2016 systems should receive KB5002890, and Mac administrators should confirm version 16.111.26071215 or later.
The more consequential gap may be on servers. SharePoint Server and Office Online Server can escape desktop-focused vulnerability scans, yet Microsoft explicitly lists supported SharePoint builds among the affected products. July’s patch cycle is complete only when both the applications users open and the server-side components processing their documents have crossed the fixed-version boundary.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top