Microsoft's July 14, 2026 Patch Tuesday fixes a critical remote code execution flaw in Word that could give attackers full control of your PC the moment you open a malicious document. Tagged CVE-2026-55132 with a CVSS score of 7.8, the update patches a double-free memory bug in Microsoft Office Word that affects everything from consumer versions of Microsoft 365 to enterprise SharePoint servers. Here's what you need to know, how bad it is, and exactly what to do about it.

The Vulnerability: A Memory Error That Opens the Door

CVE-2026-55132 is a double-free vulnerability in Microsoft Office Word. This class of bug occurs when the software releases the same memory allocation more than once, potentially corrupting the application's heap. An attacker who can shape the affected memory state may be able to redirect program execution rather than simply crash Word. Microsoft rates the potential confidentiality, integrity, and availability impact as High, meaning successful exploitation could allow the attacker to read data, alter data, and disrupt the affected application or system.

The flaw carries a CVSS 3.1 score of 7.8, with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack is classified as local (AV:L), requires low complexity, no privileges, but does demand user interaction (UI:R). In plain English: an attacker can remotely deliver a booby-trapped document via email, download, or file share, but the exploit only fires when someone opens it in an unpatched version of Word.

Despite the “Remote Code Execution” label in the CVE title, the attack path is local execution. Microsoft explains that “Remote” in the title refers to the location of the attacker, not a network-reachable service. The company’s advisory notes, “This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE).” The distinction matters because it shapes defensive strategies: you can’t just firewall this one; you must stop the document from being opened.

Any code that runs will do so with the privileges of the Word process. That makes account permissions a crucial boundary. A standard user session still exposes documents, browser data, authentication material, mapped drives, and cloud-synced folders. It’s also a common foothold for a second exploit that escalates privileges.

Who’s Affected—and What’s Actually at Stake

The update addresses a broad set of products. On the client side, it covers:

  • Microsoft 365 Apps for enterprise, Office 2019, Office LTSC 2021, and Office LTSC 2024 (both 32-bit and 64-bit editions on Windows)
  • Microsoft 365 for Mac and Office LTSC for Mac, with version 16.111.26071215 identified as the corrected release

Crucially, the CVE also reaches supported SharePoint Server products. SharePoint includes Office and Word-related document-processing components, so a malicious file processed on the server could trigger the same bug. The July updates cover:

  • SharePoint Server 2016
  • SharePoint Server 2019
  • SharePoint Server Subscription Edition

For SharePoint administrators, this transforms CVE-2026-55132 from an endpoint concern into a farm-wide priority. The specific patches differ by version:

  • SharePoint Server Subscription Edition: Cumulative security update KB5002882, build 16.0.19725.20434
  • SharePoint Server 2016: Included in the July servicing packages, with KB5002892 for the language pack
  • Office 2016 MSI-based installations: KB5002890 (Click-to-Run editions receive fixes through their update channel)

The Attack Chain: From Inbox to Code Execution

Exploitation starts with social engineering. An attacker crafts a malicious Word document that exploits the double-free bug and delivers it to the target. Common delivery methods include phishing emails, compromised download sites, or even collaboration platforms like SharePoint and Teams if the file is uploaded there.

When the victim opens the document, Word’s parsing of the malformed content triggers the double-free condition. Because the bug requires no special privileges, simply double-clicking the file is enough to execute the attacker’s code. The user might notice nothing unusual—a flicker, a brief pause, or nothing at all while the payload does its work.

From there, the attacker can steal data, install malware, or move laterally across the network. If the victim has administrative rights, the attacker gains full system control. Even without admin rights, the compromise is severe: ransomware gangs regularly use such document-based entry points to encrypt files and extort victims.

How We Got Here: A Familiar Pattern in Office Security

Double-free bugs are a well-known category of memory corruption vulnerability, but they remain stubbornly persistent in complex software like Office. The Word binary processes a staggering variety of file formats and embedded objects, each with its own parsing logic—an ideal breeding ground for memory management mistakes.

Microsoft’s July 2026 Patch Tuesday includes the fix alongside other security updates. Historically, Office vulnerabilities that require user interaction are often rated “Important” rather than “Critical” under Microsoft’s own severity classification, but CVE-2026-55132 carries a “Important” rating (the CVSS High score reflects broader industry assessment). The combination of low attack complexity and high impact has made such flaws a favorite of advanced persistent threat groups and commodity malware kits alike.

The inclusion of SharePoint in the advisory is a reminder that server-side document processing is just as vulnerable. SharePoint’s ability to generate previews, convert documents, and process workflows can invoke the same bug. That means an unauthenticated user could potentially upload a malicious file to a document library and have it processed by the server, bypassing the user interaction step entirely—though no exploit details have been publicly confirmed.

What to Do Now: Patch Priority and Practical Defenses

For home users and small businesses:

  • Verify that Office updates are enabled. In Microsoft 365, go to File > Account > Update Options and click “Update Now.”
  • If you use a volume-licensed version of Office 2016, install KB5002890 through Windows Update or the Microsoft Update Catalog.
  • On a Mac, check that your Office installation is version 16.111.26071215 or later by looking under the “About” menu.

For IT administrators:

  • Deploy the July 14, 2026 Office security release across all managed devices through your update management system. For Microsoft 365 Apps, ensure your update channel has delivered the latest build.
  • If you use security update deferrals, verify that the approved build includes the July fixes; do not assume automatic updating has closed the gap.
  • For Office 2016 MSI installations, download and deploy KB5002890 manually if necessary.

For SharePoint administrators:

  • Identify every SharePoint server in your farm and install the July cumulative update for your version. The patches address CVE-2026-55132 among other fixes.
  • SharePoint Server Subscription Edition: KB5002882 (build 16.0.19725.20434).
  • SharePoint Server 2019: Install the July 2026 cumulative update.
  • SharePoint Server 2016: Apply the July servicing packages, including KB5002892 for language packs.
  • Remember that SharePoint updates often require post-installation steps, such as running the SharePoint Products Configuration Wizard and restarting services. Consult Microsoft’s documentation for your specific version.

While you orchestrate the patches, reinforce your document-security posture:

  • Block unexpected Office attachments at email gateways.
  • Enable Protected View for documents from the internet and consider using Application Guard for Office if your licensing permits.
  • Use attachment sandboxing and detonation services to screen documents before they reach users.
  • Remind users not to open suspicious attachments and to avoid enabling macros or editing privileges unless absolutely necessary.
  • Enforce the principle of least privilege: users should not run as administrators, which limits the damage any exploit can cause.

These measures don’t replace the vendor fix, but they buy you time and reduce the attack surface.

Outlook: Document-Based Threats Are Here to Stay

CVE-2026-55132 is not the first critical Word vulnerability, and it won’t be the last. As long as Office remains a universal document platform, attackers will hunt for parsing flaws. The July 2026 patch also aligns with Microsoft’s broader push toward cloud-first security, but the reality is that on-premises and hybrid environments still need meticulous, timely patching.

What should you watch next? If past patterns hold, proof-of-concept code will appear soon after the Patch Tuesday details become public. Defenders should treat the first 30 days after release as a race against exploitation. The good news: a fully patched device or server is immune. The bad news: every hour you delay is an hour an attacker could be crafting a document with your company’s logo on it.

Update now. Then check again. Because in a world where one double-click can cost you everything, paranoia is just good operations.