CVE-2026-55134 is a Microsoft Word code-execution flaw rated 7.8 High, but its CVSS vector begins with AV:L rather than AV:N. That is not a contradiction: “remote code execution” describes the attacker’s resulting capability, while “local attack vector” describes where the vulnerable Word code must process the malicious input.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security updates. The Microsoft Security Response Center describes it as a stack-based buffer overflow that allows an unauthorized attacker to execute code locally, while the advisory title uses the broader Microsoft impact category “Remote Code Execution.”
The distinction matters for patch prioritization. CVE-2026-55134 is not a network service flaw that an attacker can directly trigger by sending packets to an exposed Windows port, but it can still let a remote adversary gain code execution after persuading a user—or an affected service—to process attacker-controlled content.
Microsoft assigned CVE-2026-55134 the following CVSS 3.1 vector:
The AV:L component means exploitation requires access through a local execution context. In a Word vulnerability, that commonly means a specially crafted document or related content must be opened or processed on the target machine. The attacker does not necessarily need to be physically present, signed into Windows, or already running an interactive session on the device.
A document can originate from an email attachment, collaboration platform, download, shared folder, or messaging application. The attacker may therefore operate from another country while the vulnerable parsing operation occurs inside Word on the victim’s computer.
That is why local in CVSS should not be read as “the attacker must sit at the keyboard.” It describes the logical proximity needed to reach the vulnerable component. Word is processing a local file or locally accessible object rather than accepting an unauthenticated exploit directly over a network protocol.
The remainder of Microsoft’s vector clarifies the expected chain. Attack complexity is low, the attacker requires no existing privileges, and user interaction is required. A successful exploit can have high confidentiality, integrity, and availability impact, meaning the attacker could potentially read data, modify resources, or disrupt the affected environment within the privileges available to the compromised process.
In this case, “remote” refers principally to the attacker’s relationship to the target. The attacker can prepare malicious content elsewhere, deliver it to the victim, and obtain code execution when the content reaches the required local processing stage.
Microsoft addresses the apparent terminology mismatch directly in its advisory. The company says the attack itself is carried out locally because an attacker or victim must execute code from the local machine, while the attacker may be remote. That makes CVE-2026-55134 different from an AV:N vulnerability, but not harmless to organizations receiving untrusted Office documents.
A useful comparison is a vulnerable web server. If an attacker can send one crafted HTTP request to the server and trigger memory corruption without a user opening anything, CVSS would normally use AV:N. If an attacker emails a malformed Word document that must be opened on an endpoint, AV:L and UI:R can be appropriate even if the ultimate result is code execution initiated by a remote criminal.
The title therefore communicates the worst credible impact, while the vector communicates the prerequisites.
Microsoft has not publicly provided enough technical detail to reproduce the flaw safely or determine exactly which Word file structure reaches the vulnerable code. The published metrics nevertheless indicate that exploitation does not require authentication or elevated privileges, but does require a person or process to handle the crafted content.
Code execution would ordinarily occur in the security context of the affected Word process. A user running with standard privileges would limit the attacker compared with an administrator account, but compromise under a standard account can still expose documents, browser data, network resources, saved credentials, and files synchronized through OneDrive or SharePoint.
Endpoint protections such as Microsoft Defender Antivirus, Attack Surface Reduction rules, Protected View, and application isolation may interrupt particular delivery or post-exploitation techniques. They should be treated as additional controls rather than replacements for the July 2026 Office patches.
As of July 15, the National Vulnerability Database showed no known exploitation in CISA’s assessment data. That status is a snapshot, not evidence that malicious documents will never appear, and the combination of low attack complexity and high technical impact gives defenders little reason to defer remediation.
The SharePoint exposure makes this more than an endpoint-only patching exercise. CVE-2026-55134 is included in the July 14 security updates for SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, indicating that Microsoft’s server products also contain or invoke affected Word-processing components.
For SharePoint Server Subscription Edition, the relevant cumulative update is KB5002882, build 16.0.19725.20434. Microsoft instructs farms using SharePoint Workflow Manager to install KB5002799 before deploying that cumulative update, and administrators still need to run the normal SharePoint configuration process rather than treating the package like a conventional Windows endpoint patch.
Administrators should inventory both interactive Office installations and server-side Office components. Microsoft 365 Apps normally receives security fixes through its servicing channels, while perpetual Office editions, MSI-based Word 2016 deployments, Macs, and on-premises SharePoint farms may follow separate deployment paths.
Until updates are broadly installed, organizations should continue blocking unexpected Office attachments, preserve Mark of the Web metadata, avoid encouraging users to bypass Protected View, and monitor Word child processes and suspicious outbound connections. Email filtering can reduce exposure, but it cannot reliably identify every malformed document or a malicious file delivered through a trusted collaboration account.
CVE-2026-55134 is consequently remote in operational risk but local in CVSS reachability. The attacker can be anywhere; the decisive moment occurs when affected Word code processes the content on the endpoint or server.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security updates. The Microsoft Security Response Center describes it as a stack-based buffer overflow that allows an unauthorized attacker to execute code locally, while the advisory title uses the broader Microsoft impact category “Remote Code Execution.”
The distinction matters for patch prioritization. CVE-2026-55134 is not a network service flaw that an attacker can directly trigger by sending packets to an exposed Windows port, but it can still let a remote adversary gain code execution after persuading a user—or an affected service—to process attacker-controlled content.
CVSS Measures the Route Into the Vulnerable Component
Microsoft assigned CVE-2026-55134 the following CVSS 3.1 vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HThe AV:L component means exploitation requires access through a local execution context. In a Word vulnerability, that commonly means a specially crafted document or related content must be opened or processed on the target machine. The attacker does not necessarily need to be physically present, signed into Windows, or already running an interactive session on the device.
A document can originate from an email attachment, collaboration platform, download, shared folder, or messaging application. The attacker may therefore operate from another country while the vulnerable parsing operation occurs inside Word on the victim’s computer.
That is why local in CVSS should not be read as “the attacker must sit at the keyboard.” It describes the logical proximity needed to reach the vulnerable component. Word is processing a local file or locally accessible object rather than accepting an unauthenticated exploit directly over a network protocol.
The remainder of Microsoft’s vector clarifies the expected chain. Attack complexity is low, the attacker requires no existing privileges, and user interaction is required. A successful exploit can have high confidentiality, integrity, and availability impact, meaning the attacker could potentially read data, modify resources, or disrupt the affected environment within the privileges available to the compromised process.
“Remote Code Execution” Names the Security Impact
Microsoft uses “Remote Code Execution” for vulnerabilities through which an attacker can cause code of the attacker’s choosing to run on another system. It is closely related to the term arbitrary code execution, and it does not guarantee that the initial trigger travels directly over the network.In this case, “remote” refers principally to the attacker’s relationship to the target. The attacker can prepare malicious content elsewhere, deliver it to the victim, and obtain code execution when the content reaches the required local processing stage.
Microsoft addresses the apparent terminology mismatch directly in its advisory. The company says the attack itself is carried out locally because an attacker or victim must execute code from the local machine, while the attacker may be remote. That makes CVE-2026-55134 different from an AV:N vulnerability, but not harmless to organizations receiving untrusted Office documents.
A useful comparison is a vulnerable web server. If an attacker can send one crafted HTTP request to the server and trigger memory corruption without a user opening anything, CVSS would normally use AV:N. If an attacker emails a malformed Word document that must be opened on an endpoint, AV:L and UI:R can be appropriate even if the ultimate result is code execution initiated by a remote criminal.
The title therefore communicates the worst credible impact, while the vector communicates the prerequisites.
The Buffer Overflow Carries Full-Impact Consequences
The underlying weakness is identified as CWE-121, a stack-based buffer overflow. This class of flaw occurs when software writes more data to a stack buffer than the buffer was designed to hold, potentially corrupting nearby control information and changing program execution.Microsoft has not publicly provided enough technical detail to reproduce the flaw safely or determine exactly which Word file structure reaches the vulnerable code. The published metrics nevertheless indicate that exploitation does not require authentication or elevated privileges, but does require a person or process to handle the crafted content.
Code execution would ordinarily occur in the security context of the affected Word process. A user running with standard privileges would limit the attacker compared with an administrator account, but compromise under a standard account can still expose documents, browser data, network resources, saved credentials, and files synchronized through OneDrive or SharePoint.
Endpoint protections such as Microsoft Defender Antivirus, Attack Surface Reduction rules, Protected View, and application isolation may interrupt particular delivery or post-exploitation techniques. They should be treated as additional controls rather than replacements for the July 2026 Office patches.
As of July 15, the National Vulnerability Database showed no known exploitation in CISA’s assessment data. That status is a snapshot, not evidence that malicious documents will never appear, and the combination of low attack complexity and high technical impact gives defenders little reason to defer remediation.
The Patch Reaches Beyond Desktop Word
Microsoft’s affected-product data includes Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, Office for Mac, and several supported SharePoint Server releases. Word 2016 receives its fix through KB5002890, according to Microsoft’s July 2026 Office update listing.The SharePoint exposure makes this more than an endpoint-only patching exercise. CVE-2026-55134 is included in the July 14 security updates for SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, indicating that Microsoft’s server products also contain or invoke affected Word-processing components.
For SharePoint Server Subscription Edition, the relevant cumulative update is KB5002882, build 16.0.19725.20434. Microsoft instructs farms using SharePoint Workflow Manager to install KB5002799 before deploying that cumulative update, and administrators still need to run the normal SharePoint configuration process rather than treating the package like a conventional Windows endpoint patch.
Administrators should inventory both interactive Office installations and server-side Office components. Microsoft 365 Apps normally receives security fixes through its servicing channels, while perpetual Office editions, MSI-based Word 2016 deployments, Macs, and on-premises SharePoint farms may follow separate deployment paths.
Until updates are broadly installed, organizations should continue blocking unexpected Office attachments, preserve Mark of the Web metadata, avoid encouraging users to bypass Protected View, and monitor Word child processes and suspicious outbound connections. Email filtering can reduce exposure, but it cannot reliably identify every malformed document or a malicious file delivered through a trusted collaboration account.
CVE-2026-55134 is consequently remote in operational risk but local in CVSS reachability. The attacker can be anywhere; the decisive moment occurs when affected Word code processes the content on the endpoint or server.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com