CVE-2026-55130: Install KB5002890 to Fix Word Code Execution

Microsoft patched CVE-2026-55130, a heap-based buffer overflow in Microsoft Word that can let an unauthenticated attacker execute code after a user opens malicious content. The July 14, 2026 security release covers Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021 and 2024, Word 2016, and supported on-premises SharePoint Server editions.
Microsoft’s Security Response Center rates the vulnerability Important with a CVSS 3.1 score of 7.8. Although its title says “Remote Code Execution,” the scoring vector classifies the attack vector as local and requires user interaction; this is not a network worm that can independently compromise an exposed Windows PC.
The practical risk is a familiar Office attack chain: an attacker delivers specially crafted content, persuades a user or workflow to process it, and gains code execution in the affected application’s security context. Microsoft has not reported active exploitation or public disclosure, and its July Patch Tuesday data describes exploitation as less likely.

Cybersecurity illustration showing a shield defending documents and servers from malware threats.Word’s Memory Corruption Can Become Full Code Execution​

CVE-2026-55130 is categorized as CWE-122, a heap-based buffer overflow. This class of vulnerability occurs when software writes more data into an allocated heap buffer than the buffer can safely contain, potentially corrupting adjacent memory and changing the program’s behavior.
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In operational terms, exploitation requires no prior privileges and is considered low complexity, but a user must take an action. A successful attack can have high confidentiality, integrity, and availability impact, meaning it could expose data, alter files or settings, and disrupt the affected system.
The “local” attack-vector designation deserves attention because it can appear to conflict with the remote-code-execution label. In Microsoft vulnerability naming, remote code execution commonly describes the attacker’s ability to supply hostile content from elsewhere, such as through email, messaging, a download, or a shared document repository. It does not necessarily mean that the vulnerable application listens directly for unauthenticated network traffic.
Microsoft has not published enough technical detail to establish the exact malicious document structure, affected Word parser, or post-exploitation behavior. There is also no public proof-of-concept identified in Microsoft’s release data. Administrators should therefore avoid assuming a specific file extension, delivery method, or mitigation not documented by the vendor.

The Patch Reaches Beyond Desktop Word​

The affected-product list is broader than Word 2016 alone. Microsoft identifies both 32-bit and 64-bit releases of Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, and Word 2016.
On-premises collaboration servers are also in scope:
  • Microsoft SharePoint Enterprise Server 2016 is affected below build 16.0.5561.1001.
  • Microsoft SharePoint Server 2019 is affected below build 16.0.10417.20175.
  • Microsoft SharePoint Server Subscription Edition is affected below build 16.0.19725.20434.
  • Microsoft Word 2016 is affected below build 16.0.5561.1000.
The SharePoint entries matter because server-side Office and document-processing components can create exposure outside the traditional scenario of a user double-clicking a .docx attachment. However, Microsoft’s CVSS assessment still records user interaction as required and says the vulnerability is not directly network exploitable. The published data does not establish a zero-click SharePoint attack path.
For Microsoft 365 Apps and newer perpetual Office releases, servicing depends on the product’s update channel and deployed build. IT teams should use their normal Microsoft 365 Apps management tools to verify that endpoints have received the July 2026 security release rather than looking for the Word 2016 MSI package.
Word 2016 uses KB5002890, which Microsoft made available through Microsoft Update, the Microsoft Update Catalog, and the Download Center. KB5002890 applies specifically to MSI-based Word 2016 installations and does not apply to Click-to-Run editions such as Microsoft 365 Apps. It replaces the earlier KB5002879 update and raises Word 2016 to the fixed 16.0.5561.1000 level.
KB5002890 is a bundled security update rather than a one-CVE patch. Microsoft says it resolves multiple Word remote-code-execution and information-disclosure vulnerabilities released in July, so deploying it closes more than CVE-2026-55130.

SharePoint Deployment Requires Its Own Change Plan​

SharePoint administrators should not treat the July release like a desktop Office update. SharePoint security updates require farm-wide deployment, configuration work through PSConfig, and validation of services and customizations after installation.
The relevant July packages are KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Microsoft’s Subscription Edition package is build 16.0.19725.20434 and includes fixes for a large set of SharePoint and Word vulnerabilities.
Microsoft also documents prerequisites and post-installation considerations for KB5002882. Farms using SharePoint Workflow Manager must install KB5002799 before the cumulative update, while organizations still running the classic Workflow Manager may need a documented server debug flag to maintain operation.
KB5002882 carries a known-issue instruction involving actor-token audience validation after PSConfig. Microsoft says the prescribed PowerShell setting disables a defense-in-depth validation still under development while leaving existing actor-token validation checks enabled. That makes Microsoft’s installation notes essential reading for SharePoint teams, even though delaying the entire security update leaves the farm exposed to CVE-2026-55130 and numerous other July vulnerabilities.
A sensible enterprise rollout separates the desktop and server tracks. Microsoft 365 Apps can move through update rings with application-health monitoring, while SharePoint should go through a tested maintenance window that includes backups, farm build verification, PSConfig completion, workflow checks, search validation, and review of the Unified Logging System.

Current Threat Data Lowers the Alarm, Not the Priority​

Microsoft says CVE-2026-55130 was neither publicly disclosed nor known to be exploited when the update shipped on July 14. The Zero Day Initiative’s July review likewise lists it as an Important 7.8-rated RCE with no public disclosure and no exploitation observed.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data records no known exploitation, says exploitation is not readily automatable, and assesses the potential technical impact as total. That combination describes a vulnerability that needs a victim action and is not currently driving emergency incident response, but could give an attacker comprehensive control if exploitation succeeds.
The National Vulnerability Database was still awaiting its own enrichment as of July 15. Its entry reproduces Microsoft’s description, affected products, CVSS score, and CWE classification rather than adding independent technical analysis. The strongest available confirmation therefore remains Microsoft’s vendor-issued CVE record and corresponding security packages.
For administrators, the response should be straightforward: confirm July Office updates on managed endpoints, deploy KB5002890 to MSI-based Word 2016 installations, and schedule the appropriate SharePoint cumulative update with its documented prerequisites. Email filtering, Protected View, attachment sandboxing, Microsoft Defender for Office 365, and application-control policies remain useful layers, but none should be treated as a substitute for updating the vulnerable Word components.
CVE-2026-55130 is not an actively exploited zero-day based on the information available on July 15, 2026. Its combination of low attack complexity, no privilege requirement, and potentially complete system impact nevertheless makes the July Word and SharePoint updates a deployment item to complete promptly rather than defer to a later maintenance cycle.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top