Microsoft released security updates on July 14, 2026, patching a high-severity vulnerability in Microsoft Office that could allow an attacker to run arbitrary code after a user opens a malicious file. The flaw, tracked as CVE-2026-55125, earned a CVSS score of 7.8 and affects all major versions of Office on Windows and macOS, as well as SharePoint Server deployments.
The Patch Closes a Heap Overflow in Office
CVE-2026-55125 is a heap-based buffer overflow (CWE-122) in Microsoft Office. A successful exploit could give an attacker full control: the CVSS vector assigns High impact to confidentiality, integrity, and availability. While exploitation requires local access to the target system—meaning the malicious file must first be delivered to the user's machine—the attack can be triggered simply by opening a booby-trapped document, spreadsheet, or other Office file.
The vulnerability affects Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 on Windows. Mac users running Microsoft 365 or Office LTSC are also affected, with fixed builds starting at version 16.111.26071215. The advisory further includes SharePoint Server 2016 and SharePoint Server 2019, making this a priority for organizations that host SharePoint farms.
SharePoint administrators received specific patches: SharePoint Server Subscription Edition requires KB5002882 (build 16.0.19725.20434), while SharePoint Server 2016 servicing includes build 16.0.5561.1001. Microsoft warns that simply installing the binary package without completing the required farm update steps—such as those involving SharePoint Workflow Manager and PSConfig—will leave SharePoint servicing incomplete.
Decoding the "Remote" Label: What Microsoft Says
The CVE title calls it a "Microsoft Office Remote Code Execution Vulnerability," yet the CVSS metric says the attack vector is Local (AV:L). This has caused confusion, but Microsoft's Security Response Center explains it clearly: "The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally."
In practice, the attacker cannot directly target your PC over the network. They must trick you into opening a poisoned file—whether through email, a malicious website, or a shared folder. The code executes within Office on your machine, but the attacker orchestrates the entire chain from a remote location. That distinction matters for threat modeling: firewalls alone won’t stop this, because the exploit rides in on content you intentionally open.
What This Means for You
Home and Small Business Users
If you use any version of Microsoft Office, you are at risk. The attack surface is broad: a Phishing email with a DOCX attachment, a doctored XLSX downloaded from a forum, or even a legitimate-looking PPTX sent through a messaging app. Because the vulnerability requires no special privileges (PR:N) and is rated low complexity (AC:L), the bar for exploitation is not high. A successful attack could lead to stolen files, ransomware, or malware installation.
But you’re not defenseless. Installing the July 2026 Office updates eliminates this specific bug. For most users, that means letting Microsoft Update do its job or manually checking for updates in any Office app (File > Account > Update Options > Update Now).
IT Administrators and Security Teams
This CVE demands prompt action on two fronts:
- Office desktop clients: All managed installations must reach the fixed Click-to-Run builds or volume-licensed MSI versions. Verify deployment using Configuration Manager, Windows Update for Business, or your patching platform. Look for the July 2026 security release versions published by Microsoft.
- SharePoint servers: The patches are not just for Office. SharePoint Server 2016, 2019, and Subscription Edition need KB5002882 (or the build equivalent) applied, followed by the farm configuration steps. Failing to run PSConfig after patching has left SharePoint vulnerable in previous incidents—don’t let it happen again.
Even with the patch, defense-in-depth measures should remain in place. Use Attachment Filtering, Mark of the Web, and Protected View to limit how Office handles untrusted files. Audit Office child-process creation (e.g., WINWORD.EXE spawning PowerShell) as a signal of possible exploitation attempts.
Developers and Power Users
If you build Office add-ins or macros, ensure your development machines are updated. While CVE-2026-55125 isn't specific to add-in code, a compromised Office process can tamper with your testing environment or steal credentials. Keep all Office instances—particularly on systems that handle sensitive work—current.
How We Got Here: Office as a Persistent Target
Memory corruption flaws in Office are nothing new. The suite’s long history and complex file format support provide a rich attack surface. Attackers have repeatedly weaponized heap overflows to execute code because they can be triggered by malformed documents that users are tricked into opening.
Microsoft’s July 2026 Patch Tuesday addressed multiple Office vulnerabilities. CVE-2026-55125 stood out not because of a sky-high CVSS score—at 7.8, it’s “only” High severity, not Critical—but because of its reach across so many Office versions and SharePoint environments. The advisory’s inclusion of SharePoint is a reminder that the server product relies on Office components that must be kept in sync.
Microsoft has increasingly moved toward automatic updates for Microsoft 365, and many home users will receive the fix without intervention. Enterprises, however, must still validate and orchestrate rollouts, especially where change-control processes delay patches.
What to Do Now: A Practical Checklist
- Apply the update immediately. For most users, go to File > Account > Update Options > Update Now in any Office app. The update history should show a build from July 14, 2026, or later. Mac users should verify version 16.111.26071215 or newer.
- Verify SharePoint patches. If you manage SharePoint Server, install the appropriate update (KB5002882 for Subscription Edition) and run the SharePoint Products Configuration Wizard on all servers. Check that build numbers match: 16.0.19725.20434 for Subscription Edition, 16.0.5561.1001 for SharePoint 2016.
- Reinforce security controls. Enable or confirm these mitigations:
- Protected View: Opens untrusted files in a sandbox.
- Attachment Filtering: Blocks dangerous file types at email gateways.
- Mark of the Web: Ensures files from the internet undergo extra security checks.
- Application Control: Prevents Office from spawning unexpected processes. - Educate users. Remind colleagues and family that opening unexpected Office files—even from known contacts—can lead to compromise. The human element is the first link in this exploit chain.
- Test and monitor. If you can’t patch immediately, restrict which Office file types can be opened from untrusted sources and monitor for anomalous Office behavior.
Outlook: Patch Tuesday Is a Rhyme, Not a Repetition
July 2026’s CVE-2026-55125 won’t be the last Office heap overflow. The ubiquity of Office makes it a perennial target, and user interaction will remain the most common attack vector. The good news is that Microsoft’s monthly cadence gives us a predictable rhythm for defense. Apply the update, review your security controls, and treat this as a reminder that even local vulnerabilities can host remote attackers.
No breach is inevitable, but neither are patches self-applying in every environment. If you handle the basics now, you’ve cut off one more avenue before it becomes a crisis.