CVE-2026-55125 is a high-severity Microsoft Office vulnerability that can let an attacker run arbitrary code after a user opens or otherwise processes malicious content locally. Microsoft published the flaw on July 14, 2026, with a CVSS 3.1 score of 7.8 and the vector
The apparent contradiction is that Microsoft calls it a “Remote Code Execution Vulnerability” while assigning a Local attack vector. As Microsoft explains in its Security Update Guide, “remote code execution” describes the attacker’s ability to cause code execution from elsewhere, not necessarily a network-level route into Office. The vulnerable Office process still has to encounter attacker-controlled content on the target machine, typically through an action initiated by the victim.
That distinction matters for defenders. CVE-2026-55125 is not described as a service that an unauthenticated attacker can directly reach over the network, but it can still become the execution stage of a phishing, download or document-delivery attack.
The title describes the vulnerability’s impact: successful exploitation allows code chosen by an attacker to run on another person’s system. In older and broader security terminology, this is commonly called remote code execution, or RCE, even when the vulnerable application is not listening for malicious requests from the Internet.
The CVSS Attack Vector metric answers a narrower question: how close must the malicious input be to the vulnerable component when exploitation occurs? With
Microsoft’s explanation says the attacker or victim must execute code from the local machine to trigger the flaw. That can include opening a malicious Office file delivered by email, launching content downloaded from a website, accessing a file from a shared location or interacting with another attacker-prepared object that Office handles locally.
The attacker can therefore remain geographically remote while arranging for the victim’s Office installation to process the exploit. The file crosses the network during delivery, but the vulnerability is triggered only after that file reaches the endpoint and is handled there.
A true
Memory corruption does not automatically guarantee reliable code execution, but Microsoft has classified the resulting security impact as code execution. The CVSS vector assigns High impact to confidentiality, integrity and availability, indicating that a successful exploit could potentially expose data, alter files and disrupt the affected system.
The complete vector is:
Each component helps narrow the actual risk:
In practical terms, least privilege still matters. Code running as a standard user starts with fewer immediate rights than code running under a local administrator account, although follow-on privilege-escalation flaws or credential theft can expand an attacker’s control.
The record additionally identifies SharePoint Server 2016 and SharePoint Server 2019 installations among the affected products. That makes the advisory relevant beyond desktop-support teams, particularly where Office components are installed or serviced as part of a SharePoint deployment.
Microsoft’s July 14 SharePoint packages include fixes associated with CVE-2026-55125. SharePoint Server Subscription Edition received KB5002882, build 16.0.19725.20434, while the SharePoint Server 2016 servicing material includes build 16.0.5561.1001. Administrators should follow the product-specific installation and configuration instructions rather than assuming that a fully patched Windows host also has an updated SharePoint or Office stack.
Microsoft Update can deliver applicable packages automatically, but enterprise environments using Microsoft Configuration Manager, Windows Update for Business deployment controls or other patch-management platforms should verify installation status explicitly. Click-to-Run Office deployments should likewise be checked against Microsoft’s July 2026 Office security release versions.
SharePoint administrators have additional operational work. Microsoft’s documentation for KB5002882 includes prerequisites and post-installation guidance involving SharePoint Workflow Manager and
For many Office vulnerabilities, the practical chain begins outside the endpoint:
Defenses such as attachment filtering, Mark of the Web, Microsoft Defender for Office 365, Protected View and application-control policies can reduce opportunities for exploitation. They do not replace the security update, especially when documents circulate through trusted internal channels or when users are persuaded to bypass warnings.
Security teams should prioritize the July Office and SharePoint patches, confirm that supported builds have advanced to Microsoft’s fixed release levels, and investigate Office child-process creation or other unusual activity following document access. The Local vector narrows the delivery conditions; it does not reduce successful exploitation to a harmless local crash.
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.The apparent contradiction is that Microsoft calls it a “Remote Code Execution Vulnerability” while assigning a Local attack vector. As Microsoft explains in its Security Update Guide, “remote code execution” describes the attacker’s ability to cause code execution from elsewhere, not necessarily a network-level route into Office. The vulnerable Office process still has to encounter attacker-controlled content on the target machine, typically through an action initiated by the victim.
That distinction matters for defenders. CVE-2026-55125 is not described as a service that an unauthenticated attacker can directly reach over the network, but it can still become the execution stage of a phishing, download or document-delivery attack.
“Remote” and AV:L Measure Different Things
The title describes the vulnerability’s impact: successful exploitation allows code chosen by an attacker to run on another person’s system. In older and broader security terminology, this is commonly called remote code execution, or RCE, even when the vulnerable application is not listening for malicious requests from the Internet.The CVSS Attack Vector metric answers a narrower question: how close must the malicious input be to the vulnerable component when exploitation occurs? With
AV:L, exploitation depends on activity within the target’s local operating-system context rather than a packet sent directly to a remotely accessible Office service.Microsoft’s explanation says the attacker or victim must execute code from the local machine to trigger the flaw. That can include opening a malicious Office file delivered by email, launching content downloaded from a website, accessing a file from a shared location or interacting with another attacker-prepared object that Office handles locally.
The attacker can therefore remain geographically remote while arranging for the victim’s Office installation to process the exploit. The file crosses the network during delivery, but the vulnerability is triggered only after that file reaches the endpoint and is handled there.
A true
AV:N vulnerability would have different exposure. It could generally be triggered through a network-reachable interface without first placing the exploit into the target’s local execution context. CVE-2026-55125 does not receive that classification merely because an attacker could email the malicious content.A Heap Overflow With Full Impact Potential
The National Vulnerability Database describes CVE-2026-55125 as a heap-based buffer overflow in Microsoft Office. The associated weakness is CWE-122, a category covering situations in which software writes beyond the intended boundary of a heap allocation.Memory corruption does not automatically guarantee reliable code execution, but Microsoft has classified the resulting security impact as code execution. The CVSS vector assigns High impact to confidentiality, integrity and availability, indicating that a successful exploit could potentially expose data, alter files and disrupt the affected system.
The complete vector is:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HEach component helps narrow the actual risk:
- The attacker must get malicious content into a local execution path because the Attack Vector is Local.
- Exploitation is rated Low complexity, meaning Microsoft has not identified special conditions that would substantially impede an attack.
- The attacker requires no existing privileges on the target system.
- User interaction is required, preventing the flaw from being treated as a direct, interaction-free compromise.
- Scope remains unchanged, while confidentiality, integrity and availability impacts are all rated High.
In practical terms, least privilege still matters. Code running as a standard user starts with fewer immediate rights than code running under a local administrator account, although follow-on privilege-escalation flaws or credential theft can expand an attacker’s control.
Office and SharePoint Deployments Need the July Fixes
The affected-product information submitted by Microsoft includes Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021 and Office LTSC 2024 on Windows. Microsoft 365 and Office LTSC releases for macOS are also listed, with fixed Mac builds beginning at version 16.111.26071215.The record additionally identifies SharePoint Server 2016 and SharePoint Server 2019 installations among the affected products. That makes the advisory relevant beyond desktop-support teams, particularly where Office components are installed or serviced as part of a SharePoint deployment.
Microsoft’s July 14 SharePoint packages include fixes associated with CVE-2026-55125. SharePoint Server Subscription Edition received KB5002882, build 16.0.19725.20434, while the SharePoint Server 2016 servicing material includes build 16.0.5561.1001. Administrators should follow the product-specific installation and configuration instructions rather than assuming that a fully patched Windows host also has an updated SharePoint or Office stack.
Microsoft Update can deliver applicable packages automatically, but enterprise environments using Microsoft Configuration Manager, Windows Update for Business deployment controls or other patch-management platforms should verify installation status explicitly. Click-to-Run Office deployments should likewise be checked against Microsoft’s July 2026 Office security release versions.
SharePoint administrators have additional operational work. Microsoft’s documentation for KB5002882 includes prerequisites and post-installation guidance involving SharePoint Workflow Manager and
PSConfig. Installing the binary package without completing the required farm update steps can leave SharePoint servicing incomplete.Email Filters Do Not Remove the Local Risk
TheAV:L rating should not be read as evidence that an attacker already needs an interactive login. The vector specifies where exploitation occurs, while PR:N confirms that the attacker does not need pre-existing privileges on the target.For many Office vulnerabilities, the practical chain begins outside the endpoint:
- An attacker prepares content designed to exercise the vulnerable Office code.
- The content reaches the user through email, cloud storage, a collaboration platform, a website or a shared folder.
- The user performs the required interaction.
- Office processes the content locally, triggering memory corruption and potential code execution.
AV:L. The attacker conducts the campaign remotely and gains code execution on a remote victim’s machine, but the malicious object must first enter a local Office processing path.Defenses such as attachment filtering, Mark of the Web, Microsoft Defender for Office 365, Protected View and application-control policies can reduce opportunities for exploitation. They do not replace the security update, especially when documents circulate through trusted internal channels or when users are persuaded to bypass warnings.
Security teams should prioritize the July Office and SharePoint patches, confirm that supported builds have advanced to Microsoft’s fixed release levels, and investigate Office child-process creation or other unusual activity following document access. The Local vector narrows the delivery conditions; it does not reduce successful exploitation to a harmless local crash.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for SharePoint Server Subscription Edition: July 14, 2026 (KB5002882) | Microsoft Support
Description of the security update for SharePoint Server Subscription Edition: July 14, 2026 (KB5002882)support.microsoft.com