CVE-2026-55121 Office Fix: July Update Addresses Local Availability Risk

Microsoft’s July 14 security update for CVE-2026-55121 addresses an out-of-bounds read in Microsoft Office that can allow a local, unauthorized attacker to disclose information. But the practical impact currently published by Microsoft and mirrored by the National Vulnerability Database does not match the confidentiality-and-performance scenario sometimes associated with this CVE: the authoritative CVSS 3.1 vector rates it 5.5, with no confidentiality or integrity impact and high availability impact.
That distinction matters for Windows administrators deciding how urgently to deploy the Office and SharePoint fixes. CVE-2026-55121 is a local attack path rather than a network-reachable Office flaw, requires user interaction, and is not described as remotely exploitable. Still, it affects a broad spread of current and legacy Office deployments, including Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC 2021 and 2024, macOS Office releases, and three on-premises SharePoint Server generations.
Microsoft published the advisory on July 14, 2026. The NVD entry, which is still undergoing enrichment, identifies the flaw as CWE-125, an out-of-bounds read, and reproduces Microsoft’s CVSS vector: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
In plain English, that score says an attacker needs local access or a way to make a user process malicious content locally; no prior privileges are required, but the victim must interact with the attack. Microsoft’s supplied vector assigns the primary consequence to availability, not data theft or data alteration.

Cybersecurity illustration showing a shield protecting documents, Microsoft apps, SharePoint, and servers from threats.The severity details conflict with the stated “information disclosure” label​

The naming here is confusing because the vulnerability title and NVD description both call this an information-disclosure issue. The NVD description says an out-of-bounds read in Microsoft Office “allows an unauthorized attacker to disclose information locally.” Yet the CVSS impacts currently attributed to Microsoft are C:N/I:N/A:H: no impact to confidentiality, no impact to integrity, and high impact to availability.
That is materially different from a C:L/I:N/A:L rating, which would indicate limited exposure of sensitive data from memory and only a limited degradation in application availability. It is also different from a scenario in which an attacker can read reusable credentials, documents, or secrets from process memory. Neither Microsoft’s currently published CVSS vector nor the NVD record supports that conclusion.
The more defensible operational reading, based on the available record, is that the bug is a local Office parsing or processing defect whose demonstrated security impact is significant interruption or loss of availability in the affected application or service. It should not be described as an Office flaw that lets an attacker modify documents, alter SharePoint content, or take control of a Windows system.
The label may yet be clarified. The NVD marks the record as undergoing enrichment, meaning its own assessment, product metadata, weakness mapping, and references can change as analysts process the entry. But as of July 15, the Microsoft-provided CVSS data is the clearest available signal for patch prioritization.

Office desktops and SharePoint farms both need attention​

The affected software list is larger than a typical desktop Office advisory. According to the Microsoft data published through the NVD, affected products include:
  • Microsoft 365 Apps for enterprise on 32-bit and x64 Windows systems before the applicable current security release.
  • Microsoft Office 2016 before version 16.0.5561.1000.
  • Microsoft Office 2019, Office LTSC 2021, and Office LTSC 2024 before their applicable current security releases.
  • Office for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 before version 16.111.26071215.
  • SharePoint Enterprise Server 2016 before 16.0.5561.1001.
  • SharePoint Server 2019 before 16.0.10417.20175.
  • SharePoint Server Subscription Edition before 16.0.19725.20434.
For endpoint teams, this should go through the standard Office servicing workflow rather than be treated as a Windows cumulative update. Microsoft 365 Apps installations normally obtain the relevant code through the configured update channel, while perpetual Office and Office LTSC installations may require the matching security update or enterprise deployment package. Administrators should confirm the installed version after the update cycle rather than simply relying on a completed software-distribution job.
The SharePoint entries deserve separate handling. Unlike desktop Office, SharePoint servers can underpin document collaboration, intranet publishing, workflow, search, and business integrations. A high-availability-impact condition in SharePoint has a much broader business consequence than a single user’s Word or Excel session failing, even if the underlying attack begins locally and requires interaction.
For SharePoint 2016, 2019, and Subscription Edition, administrators should validate the farm’s baseline, deploy the appropriate Microsoft update in accordance with their normal maintenance procedure, and confirm service health afterward. Search, distributed cache, workflow components, custom web parts, and third-party integrations all make post-patch validation more important than a simple build-number check.

Local and user-driven does not mean ignorable​

A 5.5 Medium rating should not trigger the same emergency response as an actively exploited remote-code-execution bug, particularly where an attacker can reach Office through email or the web without local access. The available CISA Stakeholder-Specific Vulnerability Categorization data classifies exploitation as “none,” automation as “no,” and technical impact as “partial.” There is no indication in the published record that the flaw is being exploited in the wild.
However, local attack requirements do not eliminate enterprise relevance. Attackers who already have a foothold on a workstation often seek ways to crash security tooling, disrupt productivity applications, interfere with investigative activity, or create operational friction while pursuing a larger intrusion. In that context, a high-availability Office vulnerability can be a supporting technique rather than the opening move.
User interaction is also a meaningful condition, not a guarantee of safety. In Office security advisories, it commonly means a victim must open, preview, import, or otherwise interact with attacker-controlled content. Organizations that permit unrestricted macros, accept documents from external parties, or use Office applications in automated document-processing workflows should consider whether their exposure is higher than the base score implies.
The immediate mitigation is straightforward: update the affected Office and SharePoint products. Until patches are confirmed, organizations should continue their ordinary document-handling controls, including Mark of the Web protections, macro restrictions, attachment filtering, endpoint protection, least-privilege access, and separation of administrative activity from daily productivity workloads. Those controls reduce opportunities for an attacker to turn user interaction into an actionable local event, but they are not replacements for the vendor fix.

Patch verification should focus on the actual product path​

This advisory is also a reminder that “Office is updated” is not a reliable compliance statement. A Windows device may have Microsoft 365 Apps managed by the Current Channel, an Office LTSC installation managed by Configuration Manager, and a SharePoint server updated on a distinct maintenance cadence. Each uses a different servicing path, inventory source, and success criterion.
For Microsoft 365 Apps, check the installed version against the current release for the organization’s update channel. For Office 2016, the specific threshold is version 16.0.5561.1000. On Macs, the relevant minimum is 16.111.26071215. For SharePoint, confirm each server reaches the product-specific minimum build and that all nodes in the farm are aligned.
The key takeaway is not that CVE-2026-55121 exposes Office documents or lets an attacker change data; the published technical record does not establish either outcome. It is that Office and SharePoint administrators should deploy the July 2026 fixes, verify their versions, and treat the advisory as an availability-focused local vulnerability until Microsoft revises the record or provides more technical detail.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top