Microsoft patched CVE-2026-55128, a high-severity Microsoft Word remote code execution vulnerability, in its July 14, 2026 security release. The use-after-free flaw can let an attacker run code after convincing a user to interact with malicious content, making prompt deployment important wherever Word documents arrive through email, collaboration platforms, or external file transfers.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55128 carries a CVSS 3.1 base score of 7.8. The vulnerability requires user interaction but no prior privileges, and successful exploitation can have high confidentiality, integrity, and availability impact.
Microsoft has not indicated that the flaw was publicly disclosed or exploited in the wild at release. CISA’s initial SSVC assessment similarly recorded no known exploitation and described the attack as non-automatable, while recognizing that its technical impact could be total.
Microsoft describes CVE-2026-55128 as a use-after-free weakness in Microsoft Office Word that permits an unauthorized attacker to execute code locally. Its CVSS vector is
That combination can appear contradictory beside the advisory’s “remote code execution” title. In Office security terminology, however, remote delivery and local execution often coexist: an attacker sends or hosts a crafted document, but the vulnerable parsing operation occurs inside Word on the victim’s computer.
The local attack vector and required user interaction mean the vulnerability is not documented as a network service flaw that can compromise an idle PC without participation. A user must be persuaded to interact with attacker-controlled content, although Microsoft’s currently available public record does not spell out the precise document format, interface action, or application workflow needed to trigger the defect.
A successful attack could execute code with the permissions available to the affected Word process and signed-in user. On a workstation where the user has local administrator rights, that could considerably increase the damage; on a least-privilege endpoint, Windows access controls may constrain some post-exploitation actions without eliminating the initial compromise.
The underlying weakness is categorized as CWE-416, use after free. This class of memory-safety error occurs when software continues using memory after it has been released, potentially allowing carefully constructed input to corrupt application state and redirect execution.
Microsoft has confirmed the vulnerability and issued official fixes, but it has not published enough technical detail for defenders to build reliable document-level signatures from the advisory alone. That reduces the immediate value of speculative file filters and makes patch status the clearest available control.
Microsoft Word 2016 is affected on both 32-bit and 64-bit Windows systems before version 16.0.5561.1000. Microsoft released KB5002890 for the MSI-based edition of Word 2016 as part of the July Office security updates.
KB5002890 is not intended for Office 2016 Click-to-Run installations, including Microsoft 365-branded editions that use Microsoft’s streaming servicing model. Those systems must receive their corresponding Click-to-Run security build through the applicable Microsoft 365 Apps update channel rather than installing the standalone MSI package.
Mac installations are also included in the affected record. Microsoft lists Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 as affected below version 16.111.26071215.
The vulnerability also reaches server products that incorporate Office or Word document-processing components:
The presence of SharePoint in the affected list is operationally significant. Organizations may patch desktop Office quickly while overlooking application servers that process, index, convert, or otherwise handle Office content behind the scenes.
Microsoft says KB5002890 replaces the previously released KB5002879. The July package is available for both x86 and x64 editions, and administrators can use the resulting file and product version data—not merely a successful update scan—to validate installation.
Click-to-Run estates require a different check. Administrators should confirm that Microsoft 365 Apps has advanced to the security build published for the organization’s selected update channel, because Current Channel, Monthly Enterprise Channel, and the Semi-Annual Enterprise channels do not necessarily receive identical builds on the same schedule.
Mac administrators should verify that affected Office installations have reached at least 16.111.26071215. Merely confirming that automatic updates are enabled does not prove that a device has completed the update, particularly for laptops that have been offline or users who repeatedly defer application restarts.
SharePoint farms deserve their own maintenance plan. Updates should be installed across the farm according to Microsoft’s servicing guidance, followed by any required configuration upgrade work and verification that every server has reached the fixed build.
Do not use the Word 2016 desktop package as evidence that SharePoint is protected. The server products have distinct packages, build thresholds, prerequisites, and deployment procedures.
Those controls are not substitutes for the update. The public advisory does not provide enough detail to conclude that Protected View, a specific blocked file extension, or one narrowly targeted mail rule will prevent every viable path to the vulnerable Word code.
Security teams should watch for Word spawning unusual child processes, unexpected script interpreters, command shells, download utilities, or persistence tooling after a document is opened. Such behavior is not proof of CVE-2026-55128 exploitation, but it remains a useful detection pattern for malicious Office-document activity generally.
CVE-2026-55128 was published on July 14, 2026, and there was no known active exploitation in Microsoft’s initial assessment. That lowers the case for emergency isolation of every Word workstation, but not for postponing an available fix: organizations should prioritize externally exposed document workflows, high-risk users, shared terminal environments, and SharePoint servers, then confirm that each Office servicing model has actually reached its fixed build.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55128 carries a CVSS 3.1 base score of 7.8. The vulnerability requires user interaction but no prior privileges, and successful exploitation can have high confidentiality, integrity, and availability impact.
Microsoft has not indicated that the flaw was publicly disclosed or exploited in the wild at release. CISA’s initial SSVC assessment similarly recorded no known exploitation and described the attack as non-automatable, while recognizing that its technical impact could be total.
“Remote Code Execution” Still Begins With a Local Action
Microsoft describes CVE-2026-55128 as a use-after-free weakness in Microsoft Office Word that permits an unauthorized attacker to execute code locally. Its CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.That combination can appear contradictory beside the advisory’s “remote code execution” title. In Office security terminology, however, remote delivery and local execution often coexist: an attacker sends or hosts a crafted document, but the vulnerable parsing operation occurs inside Word on the victim’s computer.
The local attack vector and required user interaction mean the vulnerability is not documented as a network service flaw that can compromise an idle PC without participation. A user must be persuaded to interact with attacker-controlled content, although Microsoft’s currently available public record does not spell out the precise document format, interface action, or application workflow needed to trigger the defect.
A successful attack could execute code with the permissions available to the affected Word process and signed-in user. On a workstation where the user has local administrator rights, that could considerably increase the damage; on a least-privilege endpoint, Windows access controls may constrain some post-exploitation actions without eliminating the initial compromise.
The underlying weakness is categorized as CWE-416, use after free. This class of memory-safety error occurs when software continues using memory after it has been released, potentially allowing carefully constructed input to corrupt application state and redirect execution.
Microsoft has confirmed the vulnerability and issued official fixes, but it has not published enough technical detail for defenders to build reliable document-level signatures from the advisory alone. That reduces the immediate value of speculative file filters and makes patch status the clearest available control.
The Affected Footprint Extends Beyond Word 2016
The CVE record identifies a broad Office estate rather than a single perpetual Word release. Affected products include Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, and supported Office editions for macOS.Microsoft Word 2016 is affected on both 32-bit and 64-bit Windows systems before version 16.0.5561.1000. Microsoft released KB5002890 for the MSI-based edition of Word 2016 as part of the July Office security updates.
KB5002890 is not intended for Office 2016 Click-to-Run installations, including Microsoft 365-branded editions that use Microsoft’s streaming servicing model. Those systems must receive their corresponding Click-to-Run security build through the applicable Microsoft 365 Apps update channel rather than installing the standalone MSI package.
Mac installations are also included in the affected record. Microsoft lists Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 as affected below version 16.111.26071215.
The vulnerability also reaches server products that incorporate Office or Word document-processing components:
- Microsoft SharePoint Enterprise Server 2016 is affected before build 16.0.5561.1001.
- Microsoft SharePoint Server 2019 is affected before build 16.0.10417.20175.
- Microsoft SharePoint Server Subscription Edition is affected before build 16.0.19725.20434.
The presence of SharePoint in the affected list is operationally significant. Organizations may patch desktop Office quickly while overlooking application servers that process, index, convert, or otherwise handle Office content behind the scenes.
Patch Deployment Needs Two Separate Checks
For managed Windows endpoints, the first task is to identify how Office is installed. MSI-based Word 2016 systems should receive KB5002890 through Microsoft Update, Microsoft Endpoint Configuration Manager, Windows Server Update Services, the Microsoft Update Catalog, or the standalone Download Center package.Microsoft says KB5002890 replaces the previously released KB5002879. The July package is available for both x86 and x64 editions, and administrators can use the resulting file and product version data—not merely a successful update scan—to validate installation.
Click-to-Run estates require a different check. Administrators should confirm that Microsoft 365 Apps has advanced to the security build published for the organization’s selected update channel, because Current Channel, Monthly Enterprise Channel, and the Semi-Annual Enterprise channels do not necessarily receive identical builds on the same schedule.
Mac administrators should verify that affected Office installations have reached at least 16.111.26071215. Merely confirming that automatic updates are enabled does not prove that a device has completed the update, particularly for laptops that have been offline or users who repeatedly defer application restarts.
SharePoint farms deserve their own maintenance plan. Updates should be installed across the farm according to Microsoft’s servicing guidance, followed by any required configuration upgrade work and verification that every server has reached the fixed build.
Do not use the Word 2016 desktop package as evidence that SharePoint is protected. The server products have distinct packages, build thresholds, prerequisites, and deployment procedures.
Document Controls Buy Time, Not Remediation
Until patch coverage is complete, organizations should continue treating unsolicited Office documents as potentially hostile. Email attachment sandboxing, Mark of the Web protections, Microsoft Defender for Office 365 Safe Attachments, endpoint attack-surface reduction rules, and removing unnecessary local administrator rights can all reduce exposure or limit consequences.Those controls are not substitutes for the update. The public advisory does not provide enough detail to conclude that Protected View, a specific blocked file extension, or one narrowly targeted mail rule will prevent every viable path to the vulnerable Word code.
Security teams should watch for Word spawning unusual child processes, unexpected script interpreters, command shells, download utilities, or persistence tooling after a document is opened. Such behavior is not proof of CVE-2026-55128 exploitation, but it remains a useful detection pattern for malicious Office-document activity generally.
CVE-2026-55128 was published on July 14, 2026, and there was no known active exploitation in Microsoft’s initial assessment. That lowers the case for emergency isolation of every Word workstation, but not for postponing an available fix: organizations should prioritize externally exposed document workflows, high-risk users, shared terminal environments, and SharePoint servers, then confirm that each Office servicing model has actually reached its fixed build.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Word 2016: May 12, 2026 (KB5002858) | Microsoft Support
Description of the security update for Word 2016: May 12, 2026 (KB5002858)support.microsoft.com