Microsoft released its July 2026 security updates for Office on Tuesday, and one patch in particular deserves immediate attention. CVE-2026-56195, an out-of-bounds read flaw, could allow attackers to silently extract sensitive data from memory after a victim opens a malicious file – and it affects every major Office version across Windows and Mac. No active attacks have been spotted yet, but with details now public, it’s a race against reverse engineers.
What actually changed in the July 2026 Office update
On July 14, 2026, Microsoft published CVE-2026-56195 in its Security Response Center advisory. The vulnerability is an out-of-bounds read – a type of memory safety error where the software reads data beyond the intended buffer, inadvertently exposing whatever sits next to it in memory. The flaw can be triggered by a specially crafted Office file, and if exploited, it could leak sensitive information like document fragments, credentials, or encryption keys that happen to be in memory at the time.
The Cybersecurity & Infrastructure Security Agency’s (CISA) SSVC triage confirms the vulnerability is not currently exploited, not automatable, and has only a “partial” technical impact. But that partial impact can be serious: a high degree of confidentiality loss, according to the CVSS 3.1 score of 5.5 (Medium). The attack vector is local, meaning the attacker must deliver the malicious file to the user – a chillingly familiar tactic in phishing, invoice scams, and shared-file lures.
Microsoft’s advisory covers a wide swath of products: Microsoft 365 Apps (current channel and enterprise channels), Office LTSC 2024, Office LTSC 2021, Office 2019, and Office 2016, in both 32-bit and 64-bit flavors. macOS versions are also affected: Microsoft 365 for Mac and Office LTSC for Mac 2021 and 2024. The patch is delivered through Office’s normal servicing channels – Click-to-Run for subscription and retail installations, and downloadable MSI packages for volume-licensed perpetual editions.
Specific build numbers to look for include:
- Current Channel: Version 2606, Build 20131.20154
- Monthly Enterprise Channel: Version 2606, Build 20131.20152
- Semi-Annual Enterprise Channel: Version 2508, Build 19127.20730
- Office LTSC 2024 Volume Licensed: Version 2408, Build 17932.20884
- Office LTSC 2021 Volume Licensed: Version 2108, Build 14334.20806
- Office 2019 Volume Licensed: Version 1808, Build 10417.20176
- Office 2016 (MSI): Version 16.0.5561.1000
- Mac (all affected): Version 16.111.26071215
What this means for you – and your organization
For most home users and small businesses running Microsoft 365, the fix will arrive automatically through background updates. Open any Office application, go to File > Account > Update Options, and click “Update Now” if you want to force the installation immediately. There’s no need to panic – but there’s also no reason to wait.
IT admins managing a fleet of devices have a more nuanced job. Because Office clients report the same “16.x” version family across different servicing channels, inventory tools can be misleading. A machine labeled “Office 2019” might actually be on a Monthly Enterprise Channel build if it’s part of a Microsoft 365 subscription. To confirm, check the exact build number in the Account screen of any Office app, or query via Configuration Manager, Intune, or the Microsoft 365 Apps admin center. The target is any build equal to or newer than the July 14 security release for that channel.
Organizations still running Office 2019 should take note: Microsoft ended mainstream support for Office 2019 on October 14, 2025. The fact that a July 2026 security patch exists is a discretionary gesture, not a return to a supported lifecycle. If you haven’t already, start planning your migration to a supported Office version.
How we got here
CVE-2026-56195 arrived in the regular July Patch Tuesday cycle, alongside fixes for Windows, .NET, and other Microsoft products. Out-of-bounds read vulnerabilities in Office are not unprecedented, but they rarely grab headlines because they require user interaction and typically don’t grant full system control. However, the ubiquity of Office documents as an attack vector makes any information‑disclosure flaw worth treating seriously.
The vulnerability was reported through Microsoft’s coordinated vulnerability disclosure program; the advisory credits an unnamed researcher. Unlike zero‑day exploits that force emergency out‑of‑band patches, this one came through the normal pipeline. Yet the lag between a public fix and the first in‑the‑wild exploit can be measured in days or weeks, not months. Attackers reverse‑engineer patches to figure out what changed, and then craft exploits. That’s why prompt patching is critical, even when no active attacks are known.
What to do now
Update your Office installation. For Microsoft 365 users, the simplest method is to open Word, Excel, or PowerPoint, then File → Account → Update Options → Update Now. On a Mac, open any Office app, go to Help → Check for Updates. The update downloads and installs automatically; you may need to restart the application.
Verify the build number. After updating, confirm the fix took effect. In the same Account screen, the “About” section shows the build. Match it against the list above. If you’re on a different channel (like Beta Channel), check Microsoft’s security release notes for the corresponding build.
For IT admins:
- Use your endpoint management tool to audit Office build versions across your fleet. Target the July security baseline for each channel.
- If you deploy Office via Configuration Manager, synchronize the Office 365 Client Management node and approve the update.
- For MSI‑based Office 2016, download the individual KB packages from the Microsoft Update Catalog and deploy them with your usual patch management system. Note that these are not cumulative with Click‑to‑Run; treat them as separate patch streams.
- Revisit your update rings: Monthly Enterprise Channel gets security updates on the second Tuesday; Semi-Annual Enterprise Channel began receiving monthly security and feature updates in July 2026, so expectations around cadence have changed.
Don’t over‑focus on this one CVE. While you’re patching, ensure you’re also applying the July Windows cumulative updates and any other critical fixes. CVE-2026-56195 is a Medium‑severity, non‑automatable information disclosure bug, so don’t sacrifice other security work to address it. It should slot into your normal patch deployment cycle.
Finally, remind users of the basics: don’t open attachments or click links in unexpected emails, even if they appear to be from a known contact. The vulnerability requires a user‑initiated action, so a little suspicion goes a long way.
What to watch for next
The short‑term outlook is calm but not static. Microsoft’s advisory currently lists no exploitation, but that can change. Bookmark the CVE-2026-56195 entry in the MSRC portal and check back periodically for updates. If you see a change to “Exploitation Detected,” accelerate your deployment. The National Vulnerability Database may also enrich the entry with more technical details or a CVSS 4.0 score. For now, the simplest and most effective defense is to ensure that every Office client in your environment has shaken hands with the July 2026 security build.