Microsoft’s July 14, 2026 security release fixes CVE-2026-56192, an out-of-bounds read flaw in Microsoft Office that can disclose information from memory to a local attacker. Microsoft rates the issue 5.5 out of 10 under CVSS 3.1, placing it in the Medium severity band, but the unusually broad product list means both desktop Office estates and on-premises SharePoint farms should verify that the July updates have landed.
Microsoft’s Security Response Center published the advisory on July 14, while the National Vulnerability Database has recorded the vendor-supplied description as: an out-of-bounds read in Microsoft Office allowing an unauthorized attacker to disclose information locally. The NVD entry remains marked “Awaiting Enrichment,” so the public record currently offers a useful risk profile but little detail on the exact Office component, file format, or trigger involved.
The key operational point is straightforward: this is not an internet-exposed, unauthenticated remote-code-execution bug. It is nevertheless a security patch that administrators should include in normal July remediation, particularly where Office or SharePoint servers handle confidential business material.
Microsoft’s CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In plain language, the flaw has a local attack vector, low attack complexity, requires no privileges, and depends on user interaction. Successful exploitation can have a high confidentiality impact, while integrity and availability impacts are rated none.
That combination deserves a more careful reading than the 5.5 score alone suggests. “Local” does not mean a malicious insider must sit at the target keyboard. It means the vulnerable Office code must be reached in a local execution context rather than directly over the network. The advisory does not publicly establish whether that interaction is opening content, invoking an Office component through another local process, or another route entirely.
Likewise, “no privileges required” should not be read as “no foothold required.” It means an attacker does not need elevated rights once they can attempt exploitation. In enterprise incident chains, information-disclosure flaws can matter because they may expose data from an Office process, help defeat uncertainty around memory contents, or support follow-on activity after a user-level compromise.
The vulnerability is classified as CWE-125, the common weakness category for an out-of-bounds read. That is a memory-safety error: software reads beyond the intended boundary of a buffer or object and may return data that was not meant to be exposed. The current public record does not say what data can be recovered, whether the disclosure is repeatable, or whether Microsoft has observed exploitation.
That distinction matters in a busy Patch Tuesday cycle. A generic explanation of a metric should not be turned into an exploitability claim. As of July 15, Microsoft’s public advisory and the NVD record identify the vulnerability, its affected products, its CVSS vector, and its weakness type, but they do not provide a public proof of concept, attack narrative, or technical root-cause analysis.
The NVD’s “Awaiting Enrichment” label is also not a sign that the issue is speculative. Microsoft is the CNA supplying the record, and the entry was received from Microsoft on July 14. It means NVD has not yet completed its own additional analysis, such as a CVSS 4.0 assessment or fuller product metadata.
For defenders, the sensible posture is neither panic nor dismissal: treat this as a vendor-confirmed vulnerability with a shipping fix, apply the update through established change control, and avoid inventing a file-based attack scenario the vendor has not described.
That SharePoint coverage is the practical wrinkle. Workstation Office updates can often flow through Click-to-Run servicing or managed update rings. SharePoint farm updates need more deliberate maintenance planning: administrators must identify each server role, assess applicable language packs, take backups, follow their tested farm-update process, and complete post-installation configuration steps where required.
Microsoft’s July 2026 SharePoint Server Subscription Edition update, KB5002882, explicitly lists CVE-2026-56192 among the vulnerabilities it resolves. Microsoft’s July SharePoint Server 2016 Language Pack update, KB5002892, also includes the CVE and documents build 16.0.5561.1001 for that package. The NVD’s Microsoft-supplied affected-product data sets the patched minimums at:
The presence of SharePoint on the list does not prove that remote users can exploit this particular CVE through a SharePoint site. Microsoft’s rating is local, and the advisory does not describe a remote SharePoint attack path. But the server products contain vulnerable Office-related code, which is enough to make server remediation part of the response.
That means endpoint teams should verify the installed Office version and update channel from the Microsoft 365 Apps admin center, their endpoint-management platform, or the Office Account page on a representative machine. A device marked compliant by Windows Update alone may not be current for Click-to-Run Office servicing.
Office 2016 is separately listed as affected below version 16.0.5561.1000, for both 32-bit and x64 systems. It remains important to distinguish MSI-based Office 2016 installations from Click-to-Run builds; their delivery mechanisms and applicable Knowledge Base packages differ. Microsoft’s July Office update catalog is the proper starting point for organizations still maintaining that legacy deployment model.
Mac administrators are not exempt. Microsoft lists Office for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 as affected below version 16.111.26071215. Managed macOS fleets should therefore confirm their Microsoft AutoUpdate or MDM-delivered Office update status, rather than treating this as a Windows-only issue because the CVE is branded “Microsoft Office.”
For most organizations, the right response is to deploy the July Office updates through the usual rings, bring SharePoint farms to the stated patched baselines, and document the exception list. Security teams should reserve incident-hunting escalation for environments with evidence of suspicious local execution or unusual Office-process behavior, not for the CVE alone.
The unresolved item is technical detail. If Microsoft later expands the advisory with a clearer exploitation path, a proof of concept emerges, or NVD completes enrichment with additional analysis, the priority could change quickly. Until then, the concrete milestone is simpler: systems running Office and SharePoint should be on the July 14, 2026 security updates or later.
Microsoft’s Security Response Center published the advisory on July 14, while the National Vulnerability Database has recorded the vendor-supplied description as: an out-of-bounds read in Microsoft Office allowing an unauthorized attacker to disclose information locally. The NVD entry remains marked “Awaiting Enrichment,” so the public record currently offers a useful risk profile but little detail on the exact Office component, file format, or trigger involved.
The key operational point is straightforward: this is not an internet-exposed, unauthenticated remote-code-execution bug. It is nevertheless a security patch that administrators should include in normal July remediation, particularly where Office or SharePoint servers handle confidential business material.
The score says local, but user interaction still matters
Microsoft’s CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In plain language, the flaw has a local attack vector, low attack complexity, requires no privileges, and depends on user interaction. Successful exploitation can have a high confidentiality impact, while integrity and availability impacts are rated none.That combination deserves a more careful reading than the 5.5 score alone suggests. “Local” does not mean a malicious insider must sit at the target keyboard. It means the vulnerable Office code must be reached in a local execution context rather than directly over the network. The advisory does not publicly establish whether that interaction is opening content, invoking an Office component through another local process, or another route entirely.
Likewise, “no privileges required” should not be read as “no foothold required.” It means an attacker does not need elevated rights once they can attempt exploitation. In enterprise incident chains, information-disclosure flaws can matter because they may expose data from an Office process, help defeat uncertainty around memory contents, or support follow-on activity after a user-level compromise.
The vulnerability is classified as CWE-125, the common weakness category for an out-of-bounds read. That is a memory-safety error: software reads beyond the intended boundary of a buffer or object and may return data that was not meant to be exposed. The current public record does not say what data can be recovered, whether the disclosure is repeatable, or whether Microsoft has observed exploitation.
The confidence language is not a finding by itself
The advisory material accompanying CVE-2026-56192 includes text explaining a metric that measures confidence in a vulnerability’s existence and the credibility of its technical details. That wording describes the concept of a vulnerability report-confidence metric; it is not, by itself, a published conclusion that this Office bug is confirmed, publicly disclosed, or under active attack.That distinction matters in a busy Patch Tuesday cycle. A generic explanation of a metric should not be turned into an exploitability claim. As of July 15, Microsoft’s public advisory and the NVD record identify the vulnerability, its affected products, its CVSS vector, and its weakness type, but they do not provide a public proof of concept, attack narrative, or technical root-cause analysis.
The NVD’s “Awaiting Enrichment” label is also not a sign that the issue is speculative. Microsoft is the CNA supplying the record, and the entry was received from Microsoft on July 14. It means NVD has not yet completed its own additional analysis, such as a CVSS 4.0 assessment or fuller product metadata.
For defenders, the sensible posture is neither panic nor dismissal: treat this as a vendor-confirmed vulnerability with a shipping fix, apply the update through established change control, and avoid inventing a file-based attack scenario the vendor has not described.
SharePoint turns an Office advisory into a server-patching task
CVE-2026-56192 affects more than Microsoft 365 Apps. The published affected-product data covers Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office for Mac, and the on-premises SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition lines.That SharePoint coverage is the practical wrinkle. Workstation Office updates can often flow through Click-to-Run servicing or managed update rings. SharePoint farm updates need more deliberate maintenance planning: administrators must identify each server role, assess applicable language packs, take backups, follow their tested farm-update process, and complete post-installation configuration steps where required.
Microsoft’s July 2026 SharePoint Server Subscription Edition update, KB5002882, explicitly lists CVE-2026-56192 among the vulnerabilities it resolves. Microsoft’s July SharePoint Server 2016 Language Pack update, KB5002892, also includes the CVE and documents build 16.0.5561.1001 for that package. The NVD’s Microsoft-supplied affected-product data sets the patched minimums at:
- SharePoint Server 2016: build 16.0.5561.1001.
- SharePoint Server 2019: build 16.0.10417.20175.
- SharePoint Server Subscription Edition: build 16.0.19725.20434.
The presence of SharePoint on the list does not prove that remote users can exploit this particular CVE through a SharePoint site. Microsoft’s rating is local, and the advisory does not describe a remote SharePoint attack path. But the server products contain vulnerable Office-related code, which is enough to make server remediation part of the response.
Desktop Office needs version-aware verification
For Microsoft 365 Apps and Click-to-Run editions of Office 2019, LTSC 2021, and LTSC 2024, Microsoft’s affected-version notation points administrators to its Office Security Releases servicing track rather than naming a single universal build number. That reflects the reality of Office channels: Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel can receive security fixes in different builds and on different schedules.That means endpoint teams should verify the installed Office version and update channel from the Microsoft 365 Apps admin center, their endpoint-management platform, or the Office Account page on a representative machine. A device marked compliant by Windows Update alone may not be current for Click-to-Run Office servicing.
Office 2016 is separately listed as affected below version 16.0.5561.1000, for both 32-bit and x64 systems. It remains important to distinguish MSI-based Office 2016 installations from Click-to-Run builds; their delivery mechanisms and applicable Knowledge Base packages differ. Microsoft’s July Office update catalog is the proper starting point for organizations still maintaining that legacy deployment model.
Mac administrators are not exempt. Microsoft lists Office for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 as affected below version 16.111.26071215. Managed macOS fleets should therefore confirm their Microsoft AutoUpdate or MDM-delivered Office update status, rather than treating this as a Windows-only issue because the CVE is branded “Microsoft Office.”
Patch now, investigate only if there is evidence
There is no public indication in the current advisory that CVE-2026-56192 is actively exploited, and Microsoft has not assigned it the urgency associated with a remote code execution vulnerability. Still, confidentiality-only does not mean consequence-free. Office processes routinely handle documents, spreadsheets, presentations, templates, tokens, and other material an attacker may value.For most organizations, the right response is to deploy the July Office updates through the usual rings, bring SharePoint farms to the stated patched baselines, and document the exception list. Security teams should reserve incident-hunting escalation for environments with evidence of suspicious local execution or unusual Office-process behavior, not for the CVE alone.
The unresolved item is technical detail. If Microsoft later expands the advisory with a clearer exploitation path, a proof of concept emerges, or NVD completes enrichment with additional analysis, the priority could change quickly. Until then, the concrete milestone is simpler: systems running Office and SharePoint should be on the July 14, 2026 security updates or later.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Office 2016: November 11, 2025 (KB5002810) | Microsoft Support
Description of the security update for Office 2016: November 11, 2025 (KB5002810)support.microsoft.com - Related coverage: techradar.com
Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files | TechRadar
Microsoft forced to issue an emergency patchwww.techradar.com - Official source: learn.microsoft.com
Latest updates for versions of Office that use Windows Installer (MSI) - Office release notes | Microsoft Learn
Provides IT Pros with links to the latest update information for perpetual version of Office 2016.learn.microsoft.com - Related coverage: pcgamer.com
Microsoft announces that Office has two critical security vulnerabilities, and here's where you can find patches to fix them | PC Gamer
Both also require local access to exploit, so while they're bad, they're not super bad.www.pcgamer.com