Microsoft’s July 14 security update includes a fix for an information-disclosure flaw in Office that can expose the contents of your documents – and potentially much more – when you open a booby-trapped file. The vulnerability, assigned CVE-2026-55027, affects every currently supported version of Microsoft Office on Windows and macOS, plus several on-premises SharePoint Server releases.
The flaw at a glance
CVE-2026-55027 is an out-of-bounds read vulnerability – a class of memory-safety bug where Office reads data from a location it shouldn’t. According to Microsoft’s advisory, an attacker can exploit this by crafting a malicious file and convincing someone to open it. No special privileges are required; just a double-click (or a preview in some configurations) can trigger the leak.
Microsoft rates the bug as Important, even though the Common Vulnerability Scoring System (CVSS) gives it a base score of 5.5, which typically translates to “Medium.” The reason: successful exploitation results in a High confidentiality impact. That means the information that spills out of memory could be genuinely valuable – not just a crash dump, but possibly fragments of other documents, cached credentials, or internal memory layouts that make further attacks easier.
The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) tells the story: local attack vector (the file needs to be opened on the compromised machine), low complexity, no prior account needed, but it does require user interaction. Data exposure only, no code execution. Still, information-disclosure flaws are often the first stage of stealthy attack chains, so taking them seriously matters.
Every version of Office needs a patch
The list of affected products is broad:
- Microsoft 365 Apps for Enterprise (32-bit and 64-bit) on Windows
- Microsoft Office 2016, 2019, LTSC 2021, and LTSC 2024 on Windows
- Office for Mac (Microsoft 365 and Office LTSC for Mac 2021/2024) – versions before 16.111.26071215
- SharePoint Server 2016, 2019, and Subscription Edition
Even Office 2016, which is over a decade old, gets a fix (build 16.0.5561.1000). SharePoint farms must be updated to specific builds: SharePoint 2016 needs 16.0.5561.1001, SharePoint 2019 needs 16.0.10417.20175, and the Subscription Edition needs 16.0.19725.20434. That last SharePoint fix is delivered via KB5002882, which bundles fixes for a host of other vulnerabilities too.
| Product | Fixed Build/Version |
|---|---|
| Microsoft 365 Apps for Enterprise (Windows) | July 14, 2026, or later (channel-specific builds vary) |
| Office 2016 (MSI) | 16.0.5561.1000 |
| Office for Mac (365 / LTSC) | 16.111.26071215 |
| SharePoint Server 2016 | 16.0.5561.1001 |
| SharePoint Server 2019 | 16.0.10417.20175 |
| SharePoint Server Subscription Edition | 16.0.19725.20434 (KB5002882) |
Microsoft hasn’t specified exactly which file types or Office components are exploitable. As first reported by TechRadar, that uncertainty means you can’t assume Word is the only attack vector – any Office application that can open documents (Excel, PowerPoint, even Outlook previewing a Rich Text message) could be used. The safest bet: apply the patches across your entire Office installation.
What this means for everyday users
If you’re a home user or small business owner without dedicated IT, the fix is straightforward: install the latest Office updates. For Microsoft 365 (the subscription version), updates usually come automatically through Windows Update or the Microsoft AutoUpdate tool on Mac. To be sure, open any Office app, go to File > Account > Update Options > Update Now. On Mac, open Word, go to Help > Check for Updates.
Don’t ignore the prompt just because the update’s CVSS score looks low. This is a “set it and forget it” security hygiene step that takes moments. Imagine opening what looks like an invoice from a familiar company, only to have a hidden script silently extract contents from other open documents. While we don’t yet know the exact data that can be leaked, the “High” confidentiality rating means it could be more than just useless bytes.
Be extra cautious with documents arriving via email, shared links, or USB sticks until you’ve applied the patch. The attack requires you to open a booby-trapped file, so if you haven’t updated yet, avoid opening attachments from unknown or unexpected senders.
What it means for IT administrators
Patching Office across a fleet and ensuring SharePoint servers are updated is more involved. Here’s a breakdown:
Microsoft 365 Apps – Channel policies should push the July 14 security builds automatically. Verify that devices have moved to a build from July 14 or later (check Microsoft’s official Office update history pages for exact build numbers per channel). Don’t forget Mac devices: the patched version is 16.111.26071215 or later.
Perpetual Office (2016, 2019, LTSC) – These use Click-to-Run or MSI-based servicing. Run Windows Update and also check that Office itself has been updated. The specific fix for Office 2016 (MSI) is build 16.0.5561.1000, but Microsoft recommends installing all July updates, not just one package.
SharePoint Server – The patch is part of a larger cumulative update that addresses multiple vulnerabilities, including several remote code execution bugs. For SharePoint Subscription Edition, apply KB5002882 after reviewing the prerequisites:
- If you use SharePoint Workflow Manager, install KB5002799 first.
- If you use the Classic Workflow Manager, you must set a server debug flag (documented in the KB article) to keep workflows running.
- After running PSConfig, you must also set DisableActorTokenAudienceValidation to $true on the farm object. This is a temporary measure because a new validation feature caused a regression; Microsoft says current token checks remain active, but note this in your change log.
For SharePoint 2016 and 2019, match the appropriate KB packages to your farm’s language packs and server roles. One patched server doesn’t mean the farm is protected – every server that serves Office-related content must be updated.
Because the cumulative update bundles fixes for more severe flaws, don’t delay deployment just because CVE-2026-55027’s score is moderate. The risk of exploitation rises as details become public, and researchers often reverse-engineer patches quickly.
How we got here
CVE-2026-55027 was disclosed on July 14, 2026, as part of Microsoft’s monthly Patch Tuesday release. The vulnerability was reported to Microsoft privately; no evidence of active exploitation exists, according to CISA’s SSVC assessment. The National Vulnerability Database is still enriching its entry, so an independent NVD score wasn’t available at publication time.
The relatively low public profile of the flaw shouldn’t fool you. Microsoft rarely classifies an Office information-disclosure bug as “Important” unless it genuinely risks leaking meaningful data. The lack of a public proof-of-concept now doesn’t mean one won’t appear – security researchers often publish detailed analyses within days of a patch, making it easier for attackers to weaponize the vulnerability.
Here’s what you should do now
- Update Office on all endpoints immediately. Use the built-in update mechanisms, and check the version number to confirm you’re past the vulnerable builds.
- Patch SharePoint servers as soon as testing allows. Prioritize farms that are internet-facing or process sensitive content.
- If patching must be delayed, implement temporary mitigations. Block risky file extensions at your email gateway, ensure Protected View is enabled (it opens files from the internet in a sandboxed mode), and remind users to treat unexpected attachments with suspicion.
- Verify your deployment. For SharePoint, run PSConfig on every box and check that the farm build number matches the patched level.
The bigger picture
CVE-2026-55027 might seem like a footnote next to the remote-code-execution nightmares also fixed this month, but it’s a reminder of why prompt patching matters. Information leaks can be the silent partners of more devastating attacks, and Office remains the primary tool for handling business-critical data. Microsoft hasn’t said whether the flaw exists in older, unsupported versions (Office 2010, 2013), but those versions are not being patched, so if you still run them, it’s long past time to upgrade.
We’ll continue to watch for any reports of exploitation or deeper technical write-ups. For now, the fix is the message: update now.