CVE-2026-55057: Install July 14 Office Updates to Stop Data Exposure

Microsoft has patched CVE-2026-55057, an Important-rated information disclosure vulnerability affecting Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and supported Office editions for macOS. The flaw can expose sensitive information when a user interacts with malicious content, making the July 14, 2026 Office security updates the practical fix.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-55057 carries a CVSS 3.1 base score of 5.5. Microsoft classifies the underlying weakness as CWE-190, an integer overflow or wraparound error inside Microsoft Office.
The vulnerability was not publicly disclosed or known to be exploited when Microsoft published the advisory. That lowers the immediate risk compared with July’s actively exploited vulnerabilities, but it does not remove the need to update Office installations that routinely process documents received through email, collaboration platforms, downloads, or external storage.

Cybersecurity team monitors a dashboard as multiple laptops display warning alerts and vulnerable code.User Interaction Keeps the Attack Local​

Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The most important details are the local attack vector, required user interaction, and high potential confidentiality impact.
An attacker does not need an existing account or elevated privileges, but cannot exploit the issue entirely on their own over the network. A targeted user must take an action that causes Office to process the attacker-controlled content, such as opening a crafted document.
The successful outcome is information disclosure rather than code execution. Microsoft’s scoring indicates no direct loss of integrity or availability, meaning the vulnerability is not described as allowing an attacker to modify data, install software, or crash the affected system by itself.
The confidentiality rating is nevertheless High. That distinction matters because a 5.5 medium CVSS score can look unremarkable in a vulnerability dashboard even when the data potentially exposed by successful exploitation is valuable. Information retrieved from an Office process could conceivably help an attacker build a subsequent attack, although Microsoft has not publicly documented the precise data structures, memory contents, or application workflow involved in this case.
The integer overflow classification provides the clearest available technical clue. Integer overflow and wraparound bugs arise when a calculation produces a value outside the range that the software expects, potentially causing the result to reset, truncate, or otherwise become incorrect. In software that parses complex document structures, an incorrect size or offset calculation can lead to unintended access to information.
Microsoft has not published a proof of concept or detailed reproduction steps. Administrators should therefore avoid assuming that CVE-2026-55057 is limited to Word, Excel, PowerPoint, or another individual Office application unless later guidance identifies a specific component.

The Affected List Spans Subscription and Perpetual Office​

CVE-2026-55057 is not confined to an obsolete Office branch. Microsoft’s affected-product data includes both current subscription deployments and perpetual-license editions:
  • Microsoft 365 Apps for Enterprise is affected on 32-bit and 64-bit Windows systems.
  • Microsoft Office 2016 is affected below version 16.0.5561.1000.
  • Microsoft Office 2019 is affected on 32-bit and 64-bit Windows systems.
  • Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
  • Microsoft 365 for Mac is affected below version 16.111.26071215.
  • Office LTSC for Mac 2021 and Office LTSC for Mac 2024 are affected below version 16.111.26071215.
That spread makes inventory more important than the headline severity. Enterprises often have a mixture of Microsoft 365 Apps, older MSI-based Office 2016 installations, virtual desktop images, and LTSC deployments assigned to systems that require a fixed support baseline. macOS devices managed outside the primary Windows patching platform can also be missed if update compliance is checked only through Windows tooling.
Microsoft’s July 2026 Office release contains multiple component-specific packages rather than one universal Office 2016 update. The company’s July update index lists separate fixes for Excel 2016, Word 2016, PowerPoint 2016, and Office components including MSO, OART, Graph, Chart, and VBA.
For example, the July release includes KB5002886 for Excel 2016, KB5002890 for Word 2016, KB5002867 for PowerPoint 2016, and KB5002887 for the Office 2016 MSO component. Administrators should deploy every applicable July Office security update rather than selecting one package based solely on the generic “Microsoft Office” product name in the CVE record.
Click-to-Run editions follow Microsoft’s Office servicing channels rather than the MSI package model. Devices using Microsoft 365 Apps should be advanced to a current, patched build for their assigned channel, while Office for Mac installations should reach at least version 16.111.26071215.

“Confirmed” Describes Evidence, Not Active Exploitation​

The report-confidence text included in Microsoft’s advisory can be easy to misread. In CVSS terminology, a Confirmed report means sufficiently credible technical evidence exists or the vendor has confirmed the vulnerability. It does not mean attacks have been observed in the wild.
Microsoft’s temporal scoring gives CVE-2026-55057 a score of 4.8, reflecting an official fix, unproven exploit code, and confirmed reporting. SANS Internet Storm Center’s July Patch Tuesday summary likewise records the vulnerability as neither publicly disclosed nor exploited at release.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data marked exploitation as none, automation as no, and technical impact as partial. The vulnerability was also not identified as one of the July 2026 zero-days discussed in broader Patch Tuesday reporting.
Those assessments establish a useful deployment order. Internet-facing vulnerabilities and flaws already under active attack deserve priority, but CVE-2026-55057 should remain in the normal July Office patch cycle rather than being deferred indefinitely because its score is below Critical or High.
Office documents are a common boundary between trusted productivity software and untrusted external input. A flaw requiring a user to open a file can still be practical in environments where employees regularly exchange spreadsheets, presentations, proposals, invoices, and reports with parties outside the organization.

Patch Coverage Matters More Than a Temporary Workaround​

Microsoft has not documented a mitigation or workaround that provides equivalent protection. The durable response is to install the relevant July 14 Office updates and verify that Office applications have moved to patched versions.
For Microsoft 365 Apps, administrators should check update-channel assignments, deadline policies, and devices that have stopped reporting inventory. A policy that enables automatic updates is not proof that every endpoint has received them; laptops that remain offline, paused update channels, failed Click-to-Run services, and persistent application sessions can all delay deployment.
Organizations maintaining MSI-based Office 2016 should use Microsoft Update, Configuration Manager, Windows Server Update Services where applicable, or the Microsoft Update Catalog packages. Because the July release updates several shared and application-specific components, compliance rules should evaluate the complete Office security baseline rather than the presence of a single KB article.
Mac administrators should confirm that Microsoft 365 and Office LTSC installations report version 16.111.26071215 or later. Devices managed through Microsoft Intune, Jamf Pro, or another mobile-device-management platform need a separate compliance check from Windows endpoints.
Email filtering, Microsoft Defender protections, Protected View, and restrictions on documents from untrusted locations remain useful layers, but they are not substitutes for the vendor fix. They can reduce exposure to malicious files while deployment proceeds, particularly on systems that cannot be updated immediately.
CVE-2026-55057 is not the most urgent vulnerability in Microsoft’s unusually large July 2026 security release, but its reach across Microsoft 365 Apps and multiple Office LTSC generations makes incomplete deployment the central risk. The next milestone for IT teams is straightforward: establish that every supported Office branch has received its July update, then isolate or retire installations that cannot reach the patched build.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
  4. Related coverage: korporaalmedia.nl
  5. Related coverage: vuln.today
 

Back
Top