CVE-2026-55055 is a high-severity Microsoft Word code-execution vulnerability, but its CVSS attack vector is Local rather than Network. The apparent contradiction comes from two different uses of remote: Microsoft’s title describes the attacker’s position, while CVSS describes where the vulnerable component must process the malicious input.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly Office security updates. The Microsoft Security Response Center rates it at CVSS 3.1 score 7.8, with the vector
That vector says exploitation has low complexity, requires no existing privileges, and can compromise confidentiality, integrity, and availability. It also requires user interaction and execution through a local Word process, which is why the attack vector is
In vulnerability naming, remote code execution commonly means that an attacker can cause code to run on somebody else’s system without first having an authenticated local account or an interactive session on that machine. The attacker may deliver the malicious content remotely through email, a download, a shared document, or another distribution channel.
CVSS Attack Vector measures something narrower. It asks how the vulnerable component is reached during exploitation:
Microsoft addresses this distinction directly in its Security Update Guide. The company says “Remote” refers to the location of the attacker and notes that this class of issue is also called arbitrary code execution, or ACE. The exploitation itself occurs locally because the attacker or victim must cause code to execute from the local machine.
The title and vector consequently describe different stages of the same attack. Delivery may be remote, but the vulnerable parsing and code execution happen inside the local Office environment.
A successful attacker could potentially redirect program execution and run arbitrary code with the rights of the affected Word process. If the user has administrative privileges, that may give the attacker a substantially larger foothold than exploitation under a restricted standard account.
The
The likely operational pattern is familiar to defenders: an attacker supplies crafted content, and a user or local workflow causes Word to process it. A document sent from outside the organization can therefore lead to remote compromise even though the actual vulnerability is triggered locally.
This distinction also explains why “Remotely Exploitable: No” can appear in vulnerability databases without contradicting the Microsoft Word Remote Code Execution title. In that context, “remotely exploitable” means directly reachable over a network according to the scoring model—not whether an off-site attacker can initiate the broader campaign.
Attack Complexity is Low, indicating that Microsoft does not require highly specialized environmental conditions for exploitation. Privileges Required is None, so the attacker does not need a pre-existing account on the target system before preparing or delivering the exploit.
Scope is Unchanged because the exploited Word component and the affected security authority remain within the same boundary under CVSS rules. The three High impact ratings indicate that successful exploitation could expose data, modify files or system state, and disrupt availability.
The practical reading is that CVE-2026-55055 has a meaningful impact but includes a delivery hurdle: Word must locally process the crafted input, with user interaction involved. That is less immediately dangerous than an unauthenticated
Email filtering, Protected View, Mark of the Web handling, application control, and running users without administrator rights can all reduce exposure or constrain the outcome. None should be treated as a substitute for installing Microsoft’s fix, particularly because legitimate collaboration channels and internal file shares can make malicious Office documents appear trustworthy.
For MSI-based Word 2016 installations, Microsoft’s July package is KB5002890. Microsoft’s July 2026 Office update index also lists the corresponding SharePoint packages, including KB5002891 and KB5002892 for SharePoint Server 2016, KB5002883 and KB5002885 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition.
The SharePoint presence matters because administrators should not assume this is exclusively a desktop Word problem. Server products can incorporate shared Office components or document-processing functionality, so patch inventories need to cover the affected SharePoint farms as well as endpoints.
Mac administrators should verify that affected Office installations have reached version 16.111.26071215 or later, according to Microsoft’s affected-version data. Microsoft 365 Apps and Click-to-Run Office deployments should be checked against the current Office security release builds for their servicing channel rather than relying solely on Windows Update history.
SharePoint updates require their normal deployment discipline, including prerequisite checks, farm-wide installation, and execution of the required configuration upgrade steps. Microsoft also documents Workflow Manager considerations for some of the July SharePoint packages, making staged testing especially important for farms that still depend on legacy workflows.
CVE-2026-55055 should ultimately be prioritized as a document-processing code-execution flaw, not mistaken for a directly network-reachable Word service vulnerability. The Local CVSS vector describes the point of exploitation; Microsoft’s Remote Code Execution title describes the attacker’s ability to make code run on a remote victim’s machine. Installing the July 14, 2026 Office and SharePoint updates closes both sides of that terminology gap—and, more importantly, the underlying stack-based buffer overflow.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly Office security updates. The Microsoft Security Response Center rates it at CVSS 3.1 score 7.8, with the vector
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.That vector says exploitation has low complexity, requires no existing privileges, and can compromise confidentiality, integrity, and availability. It also requires user interaction and execution through a local Word process, which is why the attack vector is
AV:L.
Remote Code Execution Does Not Mean Network Exploitation
In vulnerability naming, remote code execution commonly means that an attacker can cause code to run on somebody else’s system without first having an authenticated local account or an interactive session on that machine. The attacker may deliver the malicious content remotely through email, a download, a shared document, or another distribution channel.CVSS Attack Vector measures something narrower. It asks how the vulnerable component is reached during exploitation:
AV:Nmeans the vulnerability can be exercised through a network-facing interface or protocol.AV:Alimits exploitation to an adjacent network.AV:Lmeans the vulnerable component processes the attack through a local execution context.AV:Prequires physical access or manipulation.
AV:N vulnerability in which an attacker directly sends a specially formed network request to a listening Word service. Instead, malicious content must reach Word and be processed on the target machine.Microsoft addresses this distinction directly in its Security Update Guide. The company says “Remote” refers to the location of the attacker and notes that this class of issue is also called arbitrary code execution, or ACE. The exploitation itself occurs locally because the attacker or victim must cause code to execute from the local machine.
The title and vector consequently describe different stages of the same attack. Delivery may be remote, but the vulnerable parsing and code execution happen inside the local Office environment.
A Malicious Document Still Needs a Local Trigger
Microsoft identifies CVE-2026-55055 as a stack-based buffer overflow in Microsoft Office Word. The weakness is catalogued as CWE-121, a memory-safety error in which data exceeds the capacity of a stack buffer and can overwrite adjacent memory.A successful attacker could potentially redirect program execution and run arbitrary code with the rights of the affected Word process. If the user has administrative privileges, that may give the attacker a substantially larger foothold than exploitation under a restricted standard account.
The
UI:R portion of the CVSS vector is an important qualifier. It means user interaction is required; CVE-2026-55055 is not classified as a zero-click network attack.The likely operational pattern is familiar to defenders: an attacker supplies crafted content, and a user or local workflow causes Word to process it. A document sent from outside the organization can therefore lead to remote compromise even though the actual vulnerability is triggered locally.
This distinction also explains why “Remotely Exploitable: No” can appear in vulnerability databases without contradicting the Microsoft Word Remote Code Execution title. In that context, “remotely exploitable” means directly reachable over a network according to the scoring model—not whether an off-site attacker can initiate the broader campaign.
The CVSS Vector Shows the Real Deployment Risk
The complete Microsoft vector is more informative than either the title or the Local designation on its own:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HAttack Complexity is Low, indicating that Microsoft does not require highly specialized environmental conditions for exploitation. Privileges Required is None, so the attacker does not need a pre-existing account on the target system before preparing or delivering the exploit.
Scope is Unchanged because the exploited Word component and the affected security authority remain within the same boundary under CVSS rules. The three High impact ratings indicate that successful exploitation could expose data, modify files or system state, and disrupt availability.
The practical reading is that CVE-2026-55055 has a meaningful impact but includes a delivery hurdle: Word must locally process the crafted input, with user interaction involved. That is less immediately dangerous than an unauthenticated
AV:N/UI:N flaw in an internet-facing service, but it remains well suited to phishing and document-based intrusion attempts.Email filtering, Protected View, Mark of the Web handling, application control, and running users without administrator rights can all reduce exposure or constrain the outcome. None should be treated as a substitute for installing Microsoft’s fix, particularly because legitimate collaboration channels and internal file shares can make malicious Office documents appear trustworthy.
Word and SharePoint Products Need July’s Updates
The affected-product data submitted by Microsoft includes Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, Word 2016, Office 365 for Mac, and Office LTSC editions for Mac. Microsoft also lists SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition among the affected deployments.For MSI-based Word 2016 installations, Microsoft’s July package is KB5002890. Microsoft’s July 2026 Office update index also lists the corresponding SharePoint packages, including KB5002891 and KB5002892 for SharePoint Server 2016, KB5002883 and KB5002885 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition.
The SharePoint presence matters because administrators should not assume this is exclusively a desktop Word problem. Server products can incorporate shared Office components or document-processing functionality, so patch inventories need to cover the affected SharePoint farms as well as endpoints.
Mac administrators should verify that affected Office installations have reached version 16.111.26071215 or later, according to Microsoft’s affected-version data. Microsoft 365 Apps and Click-to-Run Office deployments should be checked against the current Office security release builds for their servicing channel rather than relying solely on Windows Update history.
SharePoint updates require their normal deployment discipline, including prerequisite checks, farm-wide installation, and execution of the required configuration upgrade steps. Microsoft also documents Workflow Manager considerations for some of the July SharePoint packages, making staged testing especially important for farms that still depend on legacy workflows.
CVE-2026-55055 should ultimately be prioritized as a document-processing code-execution flaw, not mistaken for a directly network-reachable Word service vulnerability. The Local CVSS vector describes the point of exploitation; Microsoft’s Remote Code Execution title describes the attacker’s ability to make code run on a remote victim’s machine. Installing the July 14, 2026 Office and SharePoint updates closes both sides of that terminology gap—and, more importantly, the underlying stack-based buffer overflow.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com