CVE-2026-55132 can let an attacker run code through Microsoft Word, but its CVSS attack vector is Local because the vulnerable document must be processed on the target system. Microsoft’s Remote Code Execution title describes the attacker’s relationship to the victim, not a network service that can be exploited directly over the internet.
Published in Microsoft’s July 14, 2026 security release, the flaw carries a CVSS 3.1 score of 7.8, rated High. Its vector is
That combination means exploitation has low complexity and requires no existing privileges, but it does require user interaction. Microsoft’s advisory explains that the attacker may be remote while the actual execution path remains local: a victim must open or otherwise cause the malicious content to be processed on their machine.
The apparent contradiction comes from two different classification systems describing different parts of the attack.
In Microsoft vulnerability titles, remote code execution generally indicates that an attacker can cause code of their choosing to execute on another person’s system. The attacker does not have to be logged on locally or already possess an account on the machine. A malicious Word document can be delivered remotely through email, a download, a collaboration platform, or another file-transfer channel.
CVSS Attack Vector, by contrast, asks how close the exploit must be to the vulnerable component when exploitation occurs. The
A useful distinction is:
The
An attacker who can shape the affected memory state may be able to redirect program execution rather than simply crash Word. Microsoft rates the potential confidentiality, integrity, and availability impact as High, meaning successful exploitation could allow the attacker to read data, alter data, and disrupt the affected application or system.
Code would ordinarily execute with the privileges available to the affected Word process. That makes account permissions an important boundary: a user working without administrative rights generally exposes less of the machine than someone routinely running Office under a highly privileged account.
That limitation should not be mistaken for a harmless outcome. Code execution in a standard user session can still expose documents, browser data, authentication material accessible to that user, mapped shares, and cloud-synchronized folders. It can also provide the initial foothold for a second exploit intended to elevate privileges.
Microsoft’s CVSS assessment records no privileges required before exploitation and low attack complexity. The interaction requirement is therefore the principal obstacle between a delivered file and successful compromise.
The CVE also reaches supported SharePoint Server products because SharePoint includes Office and Word-related document-processing components. Microsoft’s July updates cover SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
For SharePoint Server Subscription Edition, CVE-2026-55132 is included in the July 14 cumulative security update KB5002882, build 16.0.19725.20434. SharePoint Server 2016 administrators will encounter the CVE among the issues addressed by the July servicing packages, including KB5002892 for the language pack.
Office 2016 receives its July Word security fixes through KB5002890. Microsoft says the standalone package applies to MSI-based Office 2016 installations; Click-to-Run editions use their own Office update channel instead.
This broader product list matters to administrators who might otherwise classify CVE-2026-55132 as an endpoint-only document threat. SharePoint farms that invoke affected Word functionality need the relevant server updates even if users’ desktop Office installations are already current.
SharePoint updates also require more preparation than a routine Microsoft 365 Apps rollout. Microsoft’s July documentation includes prerequisites and post-installation instructions for some SharePoint configurations, including Workflow Manager considerations and the need to complete the normal configuration process after installing server binaries. Administrators should follow the instructions for their exact SharePoint release rather than treating the cumulative package as a simple workstation patch.
Microsoft 365 Apps administrators should verify that devices have received the July 2026 Office security release through their configured update channel. Environments using deferred update rings should check whether the approved build contains the July 14 fixes rather than assuming automatic updating has already closed the gap.
Office 2016 administrators should deploy KB5002890 where applicable. Mac administrators should confirm that affected installations have reached Office version 16.111.26071215 or later, while SharePoint teams should identify and install the July cumulative update for each farm version.
Until patching is complete, normal document-security controls retain value. Organizations can reduce exposure by blocking unexpected Office attachments, using Protected View and attachment sandboxing, restricting downloads from untrusted sources, and ensuring users do not run Word with administrative privileges. Those measures reduce opportunities for exploitation but do not replace the vendor fix.
Microsoft’s advisory did not describe CVE-2026-55132 as a remotely reachable Word service vulnerability. It describes a malicious-content path in which the attacker can remain remote while Word performs the dangerous operation locally. The terminology is awkward, but the deployment priority is not: update affected Office and SharePoint installations from the July 14, 2026 release before a crafted document turns required user interaction into code execution.
Published in Microsoft’s July 14, 2026 security release, the flaw carries a CVSS 3.1 score of 7.8, rated High. Its vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and Microsoft identifies the underlying weakness as a double-free memory error in Microsoft Office Word.That combination means exploitation has low complexity and requires no existing privileges, but it does require user interaction. Microsoft’s advisory explains that the attacker may be remote while the actual execution path remains local: a victim must open or otherwise cause the malicious content to be processed on their machine.
“Remote” Does Not Mean Network-Exploitable
The apparent contradiction comes from two different classification systems describing different parts of the attack.In Microsoft vulnerability titles, remote code execution generally indicates that an attacker can cause code of their choosing to execute on another person’s system. The attacker does not have to be logged on locally or already possess an account on the machine. A malicious Word document can be delivered remotely through email, a download, a collaboration platform, or another file-transfer channel.
CVSS Attack Vector, by contrast, asks how close the exploit must be to the vulnerable component when exploitation occurs. The
AV:L designation means that the vulnerable Word code is reached through a local execution or file-processing context rather than through a remotely reachable network protocol.A useful distinction is:
- The attacker may create and send the malicious document from another city, country, or network.
- The document must then be opened or processed by Word on the victim’s computer or an affected server.
- The vulnerability is not described as allowing an unauthenticated attacker to send specially crafted network packets directly to Word and immediately execute code.
The
UI:R metric reinforces that interpretation. User interaction is required, so merely running an unpatched copy of Word does not by itself expose a listening network service. A user, application, preview mechanism, or server-side Word component must process attacker-controlled content.A Double-Free Error With Full-System Consequences
The CVE record describes CVE-2026-55132 as a double-free vulnerability. This class of memory-management bug occurs when software releases the same memory allocation more than once, potentially corrupting the application’s heap.An attacker who can shape the affected memory state may be able to redirect program execution rather than simply crash Word. Microsoft rates the potential confidentiality, integrity, and availability impact as High, meaning successful exploitation could allow the attacker to read data, alter data, and disrupt the affected application or system.
Code would ordinarily execute with the privileges available to the affected Word process. That makes account permissions an important boundary: a user working without administrative rights generally exposes less of the machine than someone routinely running Office under a highly privileged account.
That limitation should not be mistaken for a harmless outcome. Code execution in a standard user session can still expose documents, browser data, authentication material accessible to that user, mapped shares, and cloud-synchronized folders. It can also provide the initial foothold for a second exploit intended to elevate privileges.
Microsoft’s CVSS assessment records no privileges required before exploitation and low attack complexity. The interaction requirement is therefore the principal obstacle between a delivered file and successful compromise.
The Exposure Extends Beyond Desktop Word
Microsoft lists affected editions across its current Office estate, including Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, and Office LTSC 2024 on 32-bit and 64-bit Windows systems. Microsoft 365 for Mac and Office LTSC for Mac are also affected, with version 16.111.26071215 identified as the corrected Mac release.The CVE also reaches supported SharePoint Server products because SharePoint includes Office and Word-related document-processing components. Microsoft’s July updates cover SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
For SharePoint Server Subscription Edition, CVE-2026-55132 is included in the July 14 cumulative security update KB5002882, build 16.0.19725.20434. SharePoint Server 2016 administrators will encounter the CVE among the issues addressed by the July servicing packages, including KB5002892 for the language pack.
Office 2016 receives its July Word security fixes through KB5002890. Microsoft says the standalone package applies to MSI-based Office 2016 installations; Click-to-Run editions use their own Office update channel instead.
This broader product list matters to administrators who might otherwise classify CVE-2026-55132 as an endpoint-only document threat. SharePoint farms that invoke affected Word functionality need the relevant server updates even if users’ desktop Office installations are already current.
SharePoint updates also require more preparation than a routine Microsoft 365 Apps rollout. Microsoft’s July documentation includes prerequisites and post-installation instructions for some SharePoint configurations, including Workflow Manager considerations and the need to complete the normal configuration process after installing server binaries. Administrators should follow the instructions for their exact SharePoint release rather than treating the cumulative package as a simple workstation patch.
Patch Status Matters More Than the Naming Dispute
For defenders, the practical response does not change based on whether the vulnerability is called remote or arbitrary code execution. The important facts are that attacker-controlled content can reach the vulnerable component remotely, exploitation requires local processing, and successful exploitation can have a high impact.Microsoft 365 Apps administrators should verify that devices have received the July 2026 Office security release through their configured update channel. Environments using deferred update rings should check whether the approved build contains the July 14 fixes rather than assuming automatic updating has already closed the gap.
Office 2016 administrators should deploy KB5002890 where applicable. Mac administrators should confirm that affected installations have reached Office version 16.111.26071215 or later, while SharePoint teams should identify and install the July cumulative update for each farm version.
Until patching is complete, normal document-security controls retain value. Organizations can reduce exposure by blocking unexpected Office attachments, using Protected View and attachment sandboxing, restricting downloads from untrusted sources, and ensuring users do not run Word with administrative privileges. Those measures reduce opportunities for exploitation but do not replace the vendor fix.
Microsoft’s advisory did not describe CVE-2026-55132 as a remotely reachable Word service vulnerability. It describes a malicious-content path in which the attacker can remain remote while Word performs the dangerous operation locally. The terminology is awkward, but the deployment priority is not: update affected Office and SharePoint installations from the July 14, 2026 release before a crafted document turns required user interaction into code execution.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com