CVE-2026-55120: Patch PowerPoint RCE in July 14 Updates

CVE-2026-55120 is a high-severity Microsoft PowerPoint vulnerability that can let an attacker run arbitrary code after a user opens or otherwise processes malicious content. Microsoft published the flaw on July 14, 2026, with a CVSS 3.1 score of 7.8 and classified it as remote code execution even though its attack vector is scored Local.
That combination is not contradictory. As Microsoft explains in its Security Update Guide, remote code execution describes the attacker’s ability to cause code to run on another person’s computer, while CVSS Attack Vector describes how the vulnerable PowerPoint component is reached during exploitation.
The practical attack path is therefore familiar: an attacker delivers a specially crafted presentation through email, a download, cloud storage, a messaging service, or removable media, and persuades the recipient to open it. PowerPoint then processes the file locally, triggering the vulnerability on the victim’s machine.

Cybersecurity graphic warning of malicious PowerPoint files enabling arbitrary code execution, urging a security patch.“Remote” Does Not Mean Network-Exploitable​

Microsoft describes CVE-2026-55120 as a heap-based buffer overflow in Microsoft Office PowerPoint. The vulnerability allows an unauthorized attacker to execute code locally, but the attacker does not need to be physically present at the affected PC or already signed in to Windows.
In this context, Microsoft uses remote code execution, or RCE, to describe the security outcome: attacker-controlled code runs on a remote victim’s system. The term is often used interchangeably with arbitrary code execution, although CVSS applies a narrower definition when deciding whether an attack vector is Network, Adjacent, Local, or Physical.
The CVSS vector assigned by Microsoft is:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
The relevant metrics say:
  • The attack is processed locally by PowerPoint rather than directly through a network-facing service.
  • Exploitation has low attack complexity and does not require the attacker to hold an account or privileges on the target.
  • User interaction is required.
  • Successful exploitation can have a high impact on confidentiality, integrity, and availability.
The AV:L rating does not mean the attacker needs local access in the everyday sense of sitting at the computer, possessing its password, or having an existing shell. It means the vulnerable PowerPoint parser is not itself attacked across the network stack.
FIRST, the organization responsible for the CVSS standard, explicitly addresses this scenario in its CVSS 3.1 guidance. Document-parsing vulnerabilities are normally scored Local when the malicious document must be downloaded, received, or opened by a local application, regardless of whether the attacker delivered that document through a website, email, USB drive, or another channel.
If a malicious presentation arrives as an Outlook attachment, for example, the network and email infrastructure deliver the file. The actual vulnerability is not triggered until PowerPoint reads the content on the endpoint. CVSS consequently scores the vulnerable component’s attack path as Local.
By contrast, AV:N would generally indicate that PowerPoint itself exposed vulnerable functionality through a network protocol and could be attacked by sending traffic directly to it. CVE-2026-55120 does not appear to fit that model.

User Interaction Is the Critical Boundary​

The UI:R component of the CVSS vector is especially important for defenders. It indicates that exploitation requires action by someone other than the attacker, most likely opening or interacting with a crafted presentation.
That requirement helps explain why CVE-2026-55120 received a 7.8 High score rather than a Critical score. It is not described as a zero-click vulnerability that automatically compromises an internet-connected machine, nor is PowerPoint operating as a remotely accessible server in the documented attack path.
The need for interaction does not make the flaw harmless. Presentations are routinely exchanged among employees, customers, contractors, educators, and conference participants, giving attackers plausible opportunities to disguise malicious content as invoices, project updates, training decks, sales material, or event schedules.
Once triggered, the heap-based buffer overflow could permit code execution in the security context of the person running PowerPoint. A user operating with local administrator privileges would therefore expose more of the system than one using a standard Windows account.
Microsoft’s CVSS assessment assigns High impact to confidentiality, integrity, and availability. In practical terms, successful code execution could potentially be used to access data available to the user, modify files and settings, install additional payloads, or disrupt the application and system. The precise post-exploitation result would depend on the user’s privileges and the endpoint’s other security controls.

The Patch Covers Current Office Branches and PowerPoint 2016​

The CVE record lists Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, and PowerPoint 2016 among the affected Windows products. Microsoft’s Mac editions are also included, covering Microsoft 365 for Mac and Office LTSC for Mac 2021 and 2024.
For Mac installations, the CVE record identifies version 16.111.26071215 as the corrected threshold. PowerPoint 2016 for Windows is listed as affected below version 16.0.5561.1000.
Microsoft released KB5002867 for the MSI-based edition of PowerPoint 2016 as part of the July 14 Office security updates. The support document says the package resolves three PowerPoint RCE vulnerabilities: CVE-2026-55120, CVE-2026-55123, and CVE-2026-55043.
KB5002867 is available through Microsoft Update, the Microsoft Update Catalog, and the Microsoft Download Center. Microsoft notes that the downloadable package applies only to MSI-based PowerPoint 2016 installations and not to Click-to-Run editions such as Microsoft 365. Click-to-Run deployments receive their fixes through the applicable Office servicing channel and build rather than the standalone MSI package.
Administrators should verify the update state of each Office channel instead of assuming that installing KB5002867 covers every PowerPoint installation. Mixed estates may contain MSI-based Office 2016, Office LTSC, Microsoft 365 Apps, and Mac clients, each following a different servicing path.

Treat the File as Remote, Even When CVSS Calls the Exploit Local​

CVE terminology and CVSS metrics answer different questions. The title tells defenders that successful exploitation can produce code execution on a victim’s computer; AV:L identifies where the vulnerable operation occurs. Neither field, by itself, describes the complete delivery chain.
For email and web gateways, the relevant object remains the presentation file. Organizations should continue filtering unexpected PowerPoint attachments, scanning downloaded Office documents, and applying Mark-of-the-Web and Protected View policies where appropriate. Endpoint detection tools should also monitor suspicious child processes or unusual follow-on activity originating from POWERPNT.EXE.
Those controls supplement rather than replace the update. Social-engineering barriers can fail, trusted accounts can be compromised, and a presentation shared through an established collaboration channel may receive less scrutiny than an unsolicited attachment.
The central distinction is that CVE-2026-55120 is remotely deliverable but locally triggered. Microsoft’s RCE title reflects what an attacker can achieve on someone else’s computer, while the CVSS Local vector accurately records that PowerPoint must process the malicious content on that computer.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: caloes.ca.gov
 

Back
Top