CVE-2026-55127: Patch Word Preview Pane RCE With July Updates

Microsoft has patched CVE-2026-55127, a critical Microsoft Word remote code execution vulnerability that can be triggered when a user opens—or potentially previews—a malicious document. The heap-based buffer overflow carries a CVSS 3.1 score of 7.8 and affects Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC releases, Word 2016, Office for Mac, and several on-premises SharePoint Server editions.
Detailed in Microsoft’s July 14, 2026 security release, the flaw requires user interaction but does not require the attacker to hold an account or privileges on the target. Microsoft says exploitation was not publicly disclosed or detected in attacks at publication time and assesses exploitation as less likely, but the Preview Pane attack path makes routine document handling part of the exposure.
Administrators should deploy the applicable July Office and SharePoint updates rather than waiting for evidence of exploitation.

Cybersecurity illustration showing a document overflow alert, cloud services, protected devices, and a July 2026 patch deployment.A “Local” Attack That Arrives Remotely​

CVE-2026-55127 is classified as CWE-122, a heap-based buffer overflow in Microsoft Office Word. A malformed document can cause Word to write data beyond the intended area of heap memory, creating a path to arbitrary code execution under the security context of the user processing the file.
The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That translates to low attack complexity, no required privileges, mandatory user interaction, and potentially high impact across confidentiality, integrity, and availability.
The local attack-vector rating can be misleading outside vulnerability-management teams. It does not mean an attacker must sit at the affected computer or already have interactive access. A threat actor could reportedly deliver the malicious file through email, Microsoft Teams, a SharePoint library, a download, or another file-sharing channel, then rely on the victim or an Office component to process it.
“Remote code execution” describes the outcome and the attacker’s ability to supply hostile content from elsewhere. “Local” in the CVSS vector describes where the vulnerable processing occurs. For defenders, the operational takeaway is straightforward: treat this as a document-delivery threat, not as a flaw requiring prior local compromise.
The required interaction lowers the theoretical risk compared with a network service that can be compromised by a single unauthenticated packet. It does not make the weakness harmless. Word documents remain familiar business objects, and attackers routinely disguise them as invoices, contracts, résumés, reports, or internal correspondence.

Preview Pane Exposure Narrows the Safety Margin​

Microsoft’s advisory identifies the Preview Pane as an attack vector, according to July Patch Tuesday reporting compiled by BleepingComputer and Action1. That detail matters because the traditional advice to avoid double-clicking unknown attachments may not cover every path through which vulnerable content is processed.
A Preview Pane attack does not eliminate user interaction under Microsoft’s scoring. The victim still needs to encounter or select the hostile file in a context that causes a preview handler to process it. Nevertheless, the difference between consciously opening a document and merely selecting it in File Explorer or another document interface is significant for both user training and incident response.
Organizations that cannot deploy the update immediately should reduce exposure by preventing users from previewing untrusted Word documents and strengthening controls around externally sourced Office files. Those measures are temporary risk reductions, not replacements for the security update.
Protected View, Microsoft Defender for Office 365, attachment sandboxing, Mark of the Web handling, application control, and least-privilege user accounts can all limit portions of the attack chain. None should be assumed to repair the underlying memory-safety error. Security teams should also avoid inferring immunity from the absence of macros: a heap overflow is a native-code flaw and does not depend on a victim enabling VBA.
Successful exploitation would run code with the permissions of the affected user. A standard user account can therefore constrain immediate impact, while a user operating with administrative rights gives the payload a more powerful starting position. Even under standard-user permissions, an attacker may still be able to access documents, steal browser or application data available to that account, modify files, establish user-level persistence, or launch additional exploits.

The Affected List Reaches Beyond Word Desktops​

Microsoft’s affected-product record covers both Windows and macOS Office deployments. It includes Microsoft 365 Apps for Enterprise on 32-bit and 64-bit Windows, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft Office 365 for Mac, and Office LTSC for Mac 2021 and 2024.
Word 2016 is separately listed on x86 and x64 systems. Microsoft’s fixed Word 2016 build is 16.0.5561.1000, delivered for MSI-based installations through KB5002890. The update replaces KB5002879 and is available through Microsoft Update, the Microsoft Update Catalog, and the Microsoft Download Center.
KB5002890 is not a dedicated patch for CVE-2026-55127 alone. Microsoft says it resolves a collection of Word remote code execution and information-disclosure vulnerabilities released in the July update, so vulnerability scanners and deployment teams should validate the installed package or resulting file versions rather than expect a one-to-one CVE package.
Click-to-Run editions, including Microsoft 365 Apps, follow Office servicing channels instead of using the standalone Word 2016 MSI package. Administrators should confirm that devices have received the July 2026 Office security release appropriate to their channel. Simply searching every endpoint for KB5002890 will miss supported Click-to-Run installations.
Mac deployments need Office version 16.111.26071215 or later, according to the affected-version data submitted by Microsoft to the CVE record. That fixed version applies to Microsoft Office 365 for Mac and Office LTSC for Mac 2021 and 2024.
The CVE record also names on-premises SharePoint products because server-side Office components can process Word content without the familiar desktop application workflow. The fixed build thresholds are:
  • SharePoint Enterprise Server 2016 must be updated to build 16.0.5561.1001 or later.
  • SharePoint Server 2019 must be updated to build 16.0.10417.20175 or later.
  • SharePoint Server Subscription Edition must be updated to build 16.0.19725.20434 or later.
Microsoft’s July packages include KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Office Online Server also received KB5002884 as part of the July Office security release, although it is not separately named in the CVE’s affected-product record published through the National Vulnerability Database.
SharePoint administrators should not treat endpoint patch compliance as sufficient. A fully updated fleet of Windows PCs does nothing to correct vulnerable document-processing code on an on-premises SharePoint server.

Microsoft Confirms the Bug, but Exploit Evidence Is Thin​

The supplied vulnerability-confidence metric is useful here because it separates confidence that a flaw exists from confidence in every possible exploitation detail. CVE-2026-55127 is not based solely on a vague third-party claim: Microsoft is the CVE Numbering Authority, has acknowledged the heap-based buffer overflow, assigned the severity and CVSS vector, listed affected products, and released updates.
That makes the vulnerability’s existence and vendor-level technical classification confirmed. The National Vulnerability Database was still awaiting its own enrichment as of July 15, meaning NIST had not yet added an independent CVSS assessment or expanded configuration analysis. Its page was displaying Microsoft’s 7.8 score and affected-product submission.
Confidence in current weaponization is lower. Microsoft marked the vulnerability as not publicly disclosed and not exploited at release, while its exploitability assessment says exploitation is less likely. CISA’s initial Stakeholder-Specific Vulnerability Categorization data likewise recorded no known exploitation and judged the flaw not readily automatable, while recognizing that successful exploitation could have total technical impact.
Those indicators should shape prioritization, not become a reason to defer indefinitely. Memory-corruption vulnerabilities in ubiquitous document software are valuable because delivery can be folded into phishing and file-sharing campaigns. The lack of a public proof of concept on July 14 does not predict how long technical details or reliable exploit methods will remain unavailable.

Patch Validation Matters More Than the CVSS Number​

For managed Microsoft 365 Apps environments, administrators should review update-channel compliance and verify that devices have moved onto a July 2026 security build. Devices pinned to an older Monthly Enterprise Channel, Semi-Annual Enterprise Channel, or a deferred internal ring need separate attention because an update being published does not mean every installation has received it.
Office 2019 and LTSC administrators should identify whether installations use Click-to-Run servicing and confirm the actual Office build after deployment. Word 2016 MSI estates should approve and install KB5002890 for both 32-bit and 64-bit editions, then verify that Word reports build 16.0.5561.1000 or newer.
SharePoint updates demand the usual server-farm discipline: test the package, back up the environment, deploy it across every server that requires it, and complete the applicable SharePoint configuration steps. Checking only that a package appears in installed-updates inventory can leave a farm incompletely serviced.
Security operations teams should also watch for Word spawning unusual child processes, unexpected script interpreters, executables written into user-writable directories, or outbound connections immediately after document preview or opening. Those signals are not unique to CVE-2026-55127, but they remain useful for detecting a document-based code-execution chain.
CVE-2026-55127 was not a known zero-day when Microsoft published its fix on July 14, 2026. Its practical risk comes instead from the combination of a low-complexity memory corruption bug, ubiquitous document workflows, Preview Pane exposure, and a product list that spans desktops, Macs, and SharePoint servers. The next meaningful milestone is not a revised score—it is whether organizations can show that every component capable of processing the hostile Word content has actually received the July update.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top