Microsoft has patched CVE-2026-55142, an Important-rated information disclosure vulnerability in Microsoft Word that can expose sensitive data when a user interacts with malicious content. The flaw affects Microsoft 365 Apps, supported perpetual Office releases, Word 2016, Office for Mac, and Word-related processing in several SharePoint Server editions.
Published in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 5.5. Microsoft attributes it to a numeric truncation error, tracked as CWE-197, that allows an unauthorized attacker to disclose information locally.
The practical action is straightforward: Office administrators should deploy the July 2026 security updates across every applicable update channel and verify that manually serviced Word 2016 and SharePoint Server installations received their corresponding packages.
The CVSS vector assigned by Microsoft is
Microsoft has not publicly documented the exact interaction necessary to trigger the bug. The vector indicates that the attacker cannot simply target a vulnerable Word installation over the network; malicious content must reach a machine and persuade its user to take an action, potentially involving opening or processing a crafted document.
That distinction limits initial access but does not make the issue negligible. Word documents routinely arrive through email attachments, Microsoft Teams conversations, SharePoint libraries, browser downloads, ticketing systems, and shared network folders. Attackers are already accustomed to using invoices, résumés, legal notices, and internal-looking reports to encourage document interaction.
The vulnerability’s impact metrics are also unusually focused. A successful exploit is assessed as having a high effect on confidentiality while producing no direct loss of integrity or availability. In other words, CVE-2026-55142 is not described as a route to execute code, modify files, or crash Word; its security value lies in extracting information that should not have been exposed.
That leaked information could still support a later attack. Depending on what the faulty calculation exposes, disclosure vulnerabilities can reveal document data, process memory, or technical details useful for defeating mitigations. Microsoft has not specified what information can be recovered here, so claims that the flaw exposes passwords, entire documents, or particular memory structures remain unverified.
In a document parser, an incorrect size, offset, count, or length can cause the application to operate on a value different from the one encoded in the file. The security consequence depends on where that value is used. It may cause Word to read information outside the intended boundary or return data that should never become visible to the document or attacker.
Microsoft has not released proof-of-concept code, a detailed root-cause analysis, or the affected Word file structure. The public description therefore confirms the vulnerability and its broad weakness category without giving attackers—or defenders—a reproducible technical path.
The confidence-related language accompanying the CVE record should be read in that context. It describes how firmly a vulnerability and its technical details are established, ranging from an initially reported impact to vendor confirmation. CVE-2026-55142 sits beyond the speculative stage because Microsoft has acknowledged the flaw, assigned the CVE and CWE classifications, identified affected products, and shipped updates. What remains limited is the depth of public technical disclosure.
CISA’s initial Stakeholder-Specific Vulnerability Categorization record listed no observed exploitation and described the issue as not readily automatable, with partial technical impact. As of July 15, there is no public indication that CVE-2026-55142 was exploited before Microsoft released the fix, and it has not been presented as one of July’s actively exploited zero-days.
That status is a snapshot, not a reason to defer patching. Office vulnerabilities become easier to study once security updates are available because researchers and attackers can compare patched and unpatched binaries. A flaw with sparse disclosure on Patch Tuesday may acquire working technical detail after update diffing.
Microsoft’s July 2026 Office release index assigns KB5002890 to the Word 2016 security update. The same release includes KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Language packs and other Office components have separate July packages, so administrators should use Microsoft’s product-specific update inventory rather than assuming one Word patch covers every server role.
Microsoft 365 Apps installations normally obtain security fixes through their assigned servicing channel. That convenience can hide deployment gaps when devices are offline, update policies are paused, content delivery is staged, or a channel has fallen out of support. Security teams should check reported Office builds instead of treating the existence of an automatic-update policy as proof of remediation.
Mac administrators have a particularly clear validation point: affected installations must be brought to Microsoft 365 for Mac 16.111.26071215 or later.
Protected View, attachment scanning, application control, and restrictions on files from untrusted locations can make malicious-document delivery harder. Users should also avoid opening unexpected Word files, including documents sent from apparently familiar accounts when the message context is unusual. None of those measures corrects the numeric handling error in Word itself.
For managed environments, the immediate job is to inventory Office editions and update channels, deploy the July 14 releases, and confirm successful installation. SharePoint farms require the usual server-update discipline, including checking every node and completing any Microsoft-prescribed post-update configuration steps rather than stopping after package installation.
CVE-2026-55142 is not the highest-scoring vulnerability in Microsoft’s unusually large July 2026 security release, but its combination of common document workflows and high confidentiality impact gives it a credible phishing role. The next meaningful milestone will be whether researchers publish technical analysis or exploitation evidence; until then, Microsoft’s patched build numbers are the most reliable line between exposed and remediated systems.
Published in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 5.5. Microsoft attributes it to a numeric truncation error, tracked as CWE-197, that allows an unauthorized attacker to disclose information locally.
The practical action is straightforward: Office administrators should deploy the July 2026 security updates across every applicable update channel and verify that manually serviced Word 2016 and SharePoint Server installations received their corresponding packages.
User Interaction Keeps the Attack Local, Not Harmless
The CVSS vector assigned by Microsoft is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In operational terms, the attack is local, requires low complexity, needs no existing privileges, and depends on user interaction.Microsoft has not publicly documented the exact interaction necessary to trigger the bug. The vector indicates that the attacker cannot simply target a vulnerable Word installation over the network; malicious content must reach a machine and persuade its user to take an action, potentially involving opening or processing a crafted document.
That distinction limits initial access but does not make the issue negligible. Word documents routinely arrive through email attachments, Microsoft Teams conversations, SharePoint libraries, browser downloads, ticketing systems, and shared network folders. Attackers are already accustomed to using invoices, résumés, legal notices, and internal-looking reports to encourage document interaction.
The vulnerability’s impact metrics are also unusually focused. A successful exploit is assessed as having a high effect on confidentiality while producing no direct loss of integrity or availability. In other words, CVE-2026-55142 is not described as a route to execute code, modify files, or crash Word; its security value lies in extracting information that should not have been exposed.
That leaked information could still support a later attack. Depending on what the faulty calculation exposes, disclosure vulnerabilities can reveal document data, process memory, or technical details useful for defeating mitigations. Microsoft has not specified what information can be recovered here, so claims that the flaw exposes passwords, entire documents, or particular memory structures remain unverified.
Numeric Truncation Is the Root Cause Microsoft Is Naming
Microsoft classifies CVE-2026-55142 as CWE-197, Numeric Truncation Error. This category covers cases in which software converts or stores a number in a smaller representation and loses significant bits in the process.In a document parser, an incorrect size, offset, count, or length can cause the application to operate on a value different from the one encoded in the file. The security consequence depends on where that value is used. It may cause Word to read information outside the intended boundary or return data that should never become visible to the document or attacker.
Microsoft has not released proof-of-concept code, a detailed root-cause analysis, or the affected Word file structure. The public description therefore confirms the vulnerability and its broad weakness category without giving attackers—or defenders—a reproducible technical path.
The confidence-related language accompanying the CVE record should be read in that context. It describes how firmly a vulnerability and its technical details are established, ranging from an initially reported impact to vendor confirmation. CVE-2026-55142 sits beyond the speculative stage because Microsoft has acknowledged the flaw, assigned the CVE and CWE classifications, identified affected products, and shipped updates. What remains limited is the depth of public technical disclosure.
CISA’s initial Stakeholder-Specific Vulnerability Categorization record listed no observed exploitation and described the issue as not readily automatable, with partial technical impact. As of July 15, there is no public indication that CVE-2026-55142 was exploited before Microsoft released the fix, and it has not been presented as one of July’s actively exploited zero-days.
That status is a snapshot, not a reason to defer patching. Office vulnerabilities become easier to study once security updates are available because researchers and attackers can compare patched and unpatched binaries. A flaw with sparse disclosure on Patch Tuesday may acquire working technical detail after update diffing.
The Affected Footprint Extends Beyond Desktop Word
The CVE record identifies a broad set of affected Microsoft productivity products:- Microsoft 365 Apps for enterprise is affected on both 32-bit and 64-bit Windows systems.
- Microsoft Office 2019, Office LTSC 2021, and Office LTSC 2024 are affected on Windows.
- Microsoft 365 for Mac is affected before version 16.111.26071215.
- Microsoft Word 2016 is affected before version 16.0.5561.1000.
- SharePoint Enterprise Server 2016 is affected before version 16.0.5561.1001.
- SharePoint Server 2019 is affected before version 16.0.10417.20175.
- SharePoint Server Subscription Edition is affected before version 16.0.19725.20434.
Microsoft’s July 2026 Office release index assigns KB5002890 to the Word 2016 security update. The same release includes KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Language packs and other Office components have separate July packages, so administrators should use Microsoft’s product-specific update inventory rather than assuming one Word patch covers every server role.
Microsoft 365 Apps installations normally obtain security fixes through their assigned servicing channel. That convenience can hide deployment gaps when devices are offline, update policies are paused, content delivery is staged, or a channel has fallen out of support. Security teams should check reported Office builds instead of treating the existence of an automatic-update policy as proof of remediation.
Mac administrators have a particularly clear validation point: affected installations must be brought to Microsoft 365 for Mac 16.111.26071215 or later.
Patch Verification Matters More Than Workarounds
Microsoft’s advisory does not describe a standalone workaround that offers the same assurance as installing the corrected Office builds. Normal document controls can reduce exposure, but they should remain secondary defenses.Protected View, attachment scanning, application control, and restrictions on files from untrusted locations can make malicious-document delivery harder. Users should also avoid opening unexpected Word files, including documents sent from apparently familiar accounts when the message context is unusual. None of those measures corrects the numeric handling error in Word itself.
For managed environments, the immediate job is to inventory Office editions and update channels, deploy the July 14 releases, and confirm successful installation. SharePoint farms require the usual server-update discipline, including checking every node and completing any Microsoft-prescribed post-update configuration steps rather than stopping after package installation.
CVE-2026-55142 is not the highest-scoring vulnerability in Microsoft’s unusually large July 2026 security release, but its combination of common document workflows and high confidentiality impact gives it a credible phishing role. The next meaningful milestone will be whether researchers publish technical analysis or exploitation evidence; until then, Microsoft’s patched build numbers are the most reliable line between exposed and remediated systems.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com