CVE-2026-55123 is a Microsoft PowerPoint code-execution flaw that can be triggered when a user opens a malicious presentation, but it is not directly exploitable across a network connection. Microsoft published the vulnerability on July 14, 2026, with a CVSS 3.1 score of 7.8 and the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
The apparent contradiction between Microsoft’s Remote Code Execution title and the local attack vector comes from two different classification questions. “Remote code execution” describes the possible outcome and the attacker’s relationship to the targeted computer, while CVSS Attack Vector describes where the vulnerable operation must occur.
As Microsoft explains in its Security Update Guide, an attacker can be somewhere else and send a weaponized PowerPoint file to the victim. PowerPoint must then process that file on the victim’s local computer, making AV:L the appropriate CVSS metric.
Security teams often use RCE as shorthand for vulnerabilities that can be exploited by sending packets directly to a listening service. A flaw in Remote Desktop Protocol, Windows DHCP Server, or an internet-facing SharePoint installation can fit that familiar model: the attacker communicates with the vulnerable service over a network and potentially gains code execution without first placing a user-controlled file into a local application.
CVE-2026-55123 follows a different path. Microsoft describes it as a heap-based buffer overflow in Microsoft Office PowerPoint that allows an unauthorized attacker to execute code locally. Tenable’s July PowerPoint advisory likewise lists it alongside CVE-2026-55043 and CVE-2026-55120 as a group of heap-overflow vulnerabilities corrected by Microsoft’s July 2026 Office updates.
The likely attack sequence is straightforward:
This distinction is why the CVSS vector includes AV:L and UI:R. User interaction required means the attacker cannot complete the exploit independently; the victim must open the crafted presentation or otherwise cause PowerPoint to process it.
Microsoft also says the Preview Pane is not an attack vector. That detail matters for triage because it indicates that simply selecting the file in File Explorer or an email client’s attachment list is not expected to trigger the vulnerability through preview processing.
CVSS is more precise about reachability. AV:L means the vulnerable component is accessed through a local execution path rather than directly across a network or adjacent network. It does not necessarily mean the attacker needs an existing account, an interactive desktop session, or physical access to the computer.
Those requirements are represented by other CVSS fields. CVE-2026-55123 has PR:N, meaning no prior privileges are required, but UI:R confirms that another person must participate in the exploitation chain. Its low attack complexity rating indicates that Microsoft does not identify unusual race conditions, environmental dependencies, or elaborate preparation beyond getting the malicious content processed.
The high confidentiality, integrity, and availability impact values explain the 7.8 score. Successful exploitation could let the payload access data available to the logged-on user, alter files or settings, install additional software, and disrupt the affected account’s environment.
The user’s privilege level remains an important boundary. Code launched through PowerPoint would normally inherit the victim’s rights. A user running with standard permissions offers the attacker less immediate control than an administrator, although the initial compromise could still expose documents, browser sessions, cloud credentials, mapped drives, and other resources accessible to that account.
Microsoft’s affected-product data includes Microsoft 365 Apps for Enterprise, PowerPoint 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office 365 for Mac, and the corresponding Office LTSC editions for Mac. Both 32-bit and 64-bit Windows editions appear in the affected configurations where applicable.
For MSI-based PowerPoint 2016 installations, Microsoft released KB5002867 on July 14. Tenable identifies version 16.0.5561.1000 as the corrected PowerPoint 2016 MSI build. Microsoft 365 Apps and other Click-to-Run Office products receive fixes through their applicable servicing channels rather than the standalone Office 2016 MSI package.
Administrators should therefore verify the actual Office deployment type before treating KB5002867 as a universal remedy. Installing that package is appropriate for supported MSI-based PowerPoint 2016 deployments, but it does not replace Microsoft 365 Apps update-channel management or the separate servicing mechanisms used by Mac editions.
Microsoft did not list CVE-2026-55123 as publicly disclosed or actively exploited when the July advisory was released. The vulnerability was also absent from the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog at publication. That reduces the evidence for immediate exploitation in the wild, but it does not remove the phishing-friendly attack path created by malicious Office documents.
The relevant controls are endpoint patching, attachment filtering, email and collaboration-platform scanning, application isolation, and least-privilege user accounts. Microsoft Defender for Office 365 Safe Attachments, Microsoft Defender Antivirus, attack surface reduction policies, and sandboxing can provide additional layers, but the security update corrects the vulnerable PowerPoint code itself.
Organizations that cannot update immediately should apply stricter handling to untrusted presentation files and avoid opening unexpected
The practical reading is simple: CVE-2026-55123 is remotely deliverable but locally triggered. Microsoft’s RCE label describes the attacker-controlled code-execution result; AV:L records that PowerPoint must process the malicious file on the endpoint. The durable fix is to update every affected Office channel, including deploying KB5002867 where PowerPoint 2016 MSI remains in service.
The apparent contradiction between Microsoft’s Remote Code Execution title and the local attack vector comes from two different classification questions. “Remote code execution” describes the possible outcome and the attacker’s relationship to the targeted computer, while CVSS Attack Vector describes where the vulnerable operation must occur.
As Microsoft explains in its Security Update Guide, an attacker can be somewhere else and send a weaponized PowerPoint file to the victim. PowerPoint must then process that file on the victim’s local computer, making AV:L the appropriate CVSS metric.
Remote Delivery Is Not a Network Attack Vector
Security teams often use RCE as shorthand for vulnerabilities that can be exploited by sending packets directly to a listening service. A flaw in Remote Desktop Protocol, Windows DHCP Server, or an internet-facing SharePoint installation can fit that familiar model: the attacker communicates with the vulnerable service over a network and potentially gains code execution without first placing a user-controlled file into a local application.CVE-2026-55123 follows a different path. Microsoft describes it as a heap-based buffer overflow in Microsoft Office PowerPoint that allows an unauthorized attacker to execute code locally. Tenable’s July PowerPoint advisory likewise lists it alongside CVE-2026-55043 and CVE-2026-55120 as a group of heap-overflow vulnerabilities corrected by Microsoft’s July 2026 Office updates.
The likely attack sequence is straightforward:
- An attacker creates or supplies a specially crafted PowerPoint presentation.
- The file reaches the target through email, chat, cloud storage, a collaboration platform, a download, or removable media.
- A user opens the presentation in a vulnerable version of PowerPoint.
- PowerPoint processes the malicious content and triggers memory corruption.
- Attacker-controlled code runs in the context of the affected user.
This distinction is why the CVSS vector includes AV:L and UI:R. User interaction required means the attacker cannot complete the exploit independently; the victim must open the crafted presentation or otherwise cause PowerPoint to process it.
Microsoft also says the Preview Pane is not an attack vector. That detail matters for triage because it indicates that simply selecting the file in File Explorer or an email client’s attachment list is not expected to trigger the vulnerability through preview processing.
RCE Describes the Consequence, AV:L Describes the Route
The term remote code execution is not applied with perfect consistency across the security industry. In Microsoft advisories, it can cover document-based attacks in which an unauthenticated remote attacker sends malicious content that ultimately results in code running on the recipient’s machine. This category is also frequently described as arbitrary code execution, or ACE.CVSS is more precise about reachability. AV:L means the vulnerable component is accessed through a local execution path rather than directly across a network or adjacent network. It does not necessarily mean the attacker needs an existing account, an interactive desktop session, or physical access to the computer.
Those requirements are represented by other CVSS fields. CVE-2026-55123 has PR:N, meaning no prior privileges are required, but UI:R confirms that another person must participate in the exploitation chain. Its low attack complexity rating indicates that Microsoft does not identify unusual race conditions, environmental dependencies, or elaborate preparation beyond getting the malicious content processed.
The high confidentiality, integrity, and availability impact values explain the 7.8 score. Successful exploitation could let the payload access data available to the logged-on user, alter files or settings, install additional software, and disrupt the affected account’s environment.
The user’s privilege level remains an important boundary. Code launched through PowerPoint would normally inherit the victim’s rights. A user running with standard permissions offers the attacker less immediate control than an administrator, although the initial compromise could still expose documents, browser sessions, cloud credentials, mapped drives, and other resources accessible to that account.
July’s PowerPoint Fix Covers Three Related Flaws
CVE-2026-55123 is one of three PowerPoint heap-overflow vulnerabilities addressed in Microsoft’s July 2026 release. Qualys groups it with CVE-2026-55043 and CVE-2026-55120, all of which carry the same general description: an unauthorized attacker may be able to execute code locally through a PowerPoint memory-corruption condition.Microsoft’s affected-product data includes Microsoft 365 Apps for Enterprise, PowerPoint 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office 365 for Mac, and the corresponding Office LTSC editions for Mac. Both 32-bit and 64-bit Windows editions appear in the affected configurations where applicable.
For MSI-based PowerPoint 2016 installations, Microsoft released KB5002867 on July 14. Tenable identifies version 16.0.5561.1000 as the corrected PowerPoint 2016 MSI build. Microsoft 365 Apps and other Click-to-Run Office products receive fixes through their applicable servicing channels rather than the standalone Office 2016 MSI package.
Administrators should therefore verify the actual Office deployment type before treating KB5002867 as a universal remedy. Installing that package is appropriate for supported MSI-based PowerPoint 2016 deployments, but it does not replace Microsoft 365 Apps update-channel management or the separate servicing mechanisms used by Mac editions.
Microsoft did not list CVE-2026-55123 as publicly disclosed or actively exploited when the July advisory was released. The vulnerability was also absent from the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog at publication. That reduces the evidence for immediate exploitation in the wild, but it does not remove the phishing-friendly attack path created by malicious Office documents.
Patch Management Matters More Than the Label
For defenders, the title should not lead to the assumption that every vulnerable workstation is remotely reachable like an exposed server. Network firewalls and closed inbound ports do not prevent a user from receiving and opening a crafted presentation.The relevant controls are endpoint patching, attachment filtering, email and collaboration-platform scanning, application isolation, and least-privilege user accounts. Microsoft Defender for Office 365 Safe Attachments, Microsoft Defender Antivirus, attack surface reduction policies, and sandboxing can provide additional layers, but the security update corrects the vulnerable PowerPoint code itself.
Organizations that cannot update immediately should apply stricter handling to untrusted presentation files and avoid opening unexpected
.ppt, .pptx, and related Office content outside a controlled environment. Blocking macros alone should not be treated as a complete mitigation because CVE-2026-55123 is documented as a memory-corruption flaw, not a malicious VBA macro technique.The practical reading is simple: CVE-2026-55123 is remotely deliverable but locally triggered. Microsoft’s RCE label describes the attacker-controlled code-execution result; AV:L records that PowerPoint must process the malicious file on the endpoint. The durable fix is to update every affected Office channel, including deploying KB5002867 where PowerPoint 2016 MSI remains in service.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com