Microsoft shipped a security fix on July 14, 2026 that closes an information-disclosure vulnerability in Microsoft Office. The bug, logged as CVE-2026-55139, could allow a local user—or a piece of malware already running on your PC or Mac—to read data from memory that Office normally keeps out of reach. The patches cover all supported Office editions on both Windows and macOS, and while no attacks have been spotted yet, applying the update now plugs a leak that could otherwise give an intruder sensitive information such as passwords, document fragments, or encryption keys.
The Patch at a Glance
CVE-2026-55139 carries an Important severity rating from Microsoft, and its CVSS 3.1 base score is 5.5. The vulnerability is classified as CWE-125: an out-of-bounds read. That’s a memory-safety slip where the software tries to read beyond the allocated buffer, peeking at adjacent memory that wasn’t meant to be shared. In Office’s case, that could expose data from the application’s own process—the contents you’re working on, cached credentials, or internal data structures.
The attack vector is local, meaning the attacker needs to be logged on to your machine or trick you into running something malicious. The bug can’t be triggered by someone simply sending a document; it requires code execution on the endpoint. That’s why Microsoft’s exploitability assessment says real-world exploitation is “unlikely” right now, and there’s no evidence of public disclosure or in-the-wild exploitation prior to Patch Tuesday.
The fixes are delivered through the standard update channels. For Windows, users of Microsoft 365 Apps (the Click-to-Run versions) will get the update automatically. For perpetual Office releases like Office 2019, Office LTSC 2021, and Office LTSC 2024, the patch also comes through the July 2026 security release. The specific build numbers vary by channel, but the minimum safe version for Mac is 16.111.26071215. On Windows, Office 2016 gets the fix via KB5002887, which bumps the version to at least 16.0.5561.1000.
Who’s at Risk—and What’s at Stake
This vulnerability affects nearly everyone running a supported version of Office. Microsoft lists:
- Microsoft 365 Apps for enterprise (32-bit and 64-bit) on Windows
- Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 on Windows
- Microsoft 365 and Office 365 applications for Mac (before version 16.111.26071215)
- Office LTSC for Mac 2021 and 2024 (before 16.111.26071215)
If your Office installation is still receiving security updates, you’re likely in scope. Home users on a Microsoft 365 subscription will get the patch automatically if automatic updates are enabled—but you should still verify the build number because the update may sit pending until you restart the applications.
For businesses, the risk picture is nuanced. A local information-disclosure flaw means that an attacker who already has a foothold on a workstation—through malware, a malicious insider, or a compromised account—can exploit the Office memory leak to steal data that might help them move laterally or deepen their access. While the bug doesn’t directly allow remote code execution, information leaks often serve as stepping stones in multi-stage attacks. An exposed memory address, for instance, can help bypass Address Space Layout Randomization (ASLR), making subsequent code-execution exploits easier.
That said, CVE-2026-55139 is not a “drop everything” emergency. It’s a solid candidate for your regular monthly update cycle because it carries none of the hallmarks of an active threat: no proof-of-concept code circulating, no exploit kits, and no observed attacks. But remember that “unlikely exploitation” doesn’t mean “impossible exploitation”—once the patch details are public, reverse-engineering the fix becomes easier for attackers. The window between a patch release and the first exploit attempts is shrinking across the industry, so don’t let this one linger.
Home users should just make sure Office updates. Power users who deal with sensitive documents or run multi-user systems should double-check their build numbers. IT administrators need to inventory their Office fleet and confirm that every endpoint—especially those that are often offline, like field laptops—receives the update. The same July update bundle also fixes several more severe Office vulnerabilities, including remote code execution flaws, so you’ll get multiple benefits from one servicing event.
Not the Only Office Problem in July
CVE-2026-55139 landed as part of a massive July 2026 Patch Tuesday: Microsoft addressed 570 unique vulnerabilities across its products, according to BleepingComputer. Among those, 102 were information-disclosure issues, and dozens were Critical-rated remote-code-execution bugs. Office itself received a slew of patches covering both information disclosure and code execution. Several of those Office bugs share the same 5.5 CVSS score and out-of-bounds-read classification, but others carry higher severity and a more direct path to system compromise.
In short, CVE-2026-55139 is one link in a chain of fixes that deserve your attention. Failing to apply the July Office updates leaves you exposed not just to this memory leak but to potentially more dangerous vulnerabilities in the same codebase. The broader context makes a strong argument for deploying the complete July Office security release rather than cherry-picking individual CVEs.
How to Get the Fix and Stay Safe
For everyday users on Windows or Mac:
1. Open any Office application (Word, Excel, Outlook).
2. Click on File > Account (or Help in older versions).
3. Under “Product Information,” look for an Update Options button. Click it and select Update Now.
4. Wait for the update to download and install. You may need to restart the application or your computer afterward.
5. To verify you’re safe, check the version number:
- On Windows: Go to File > Account, and under “About Word” (or your app), you’ll see a version number like Version 2307 (Build 16626.XXXXX).
- On Mac: Click the app name on the menu bar, choose About Word, and check the build number.
For Microsoft 365, any build released after July 14, 2026, should contain the fix. If you’re on a perpetual version, confirm the build meets or exceeds the minimums: Office 2016 at least 16.0.5561.1000; Office 2019, LTSC 2021, LTSC 2024 will show a version number that aligns with the July 2026 release; Mac builds should be at least 16.111.26071215.
For IT administrators:
- Use Microsoft Configuration Manager, Microsoft Intune, or the Microsoft 365 Apps admin center to inventory installed Office builds across your estate.
- Identify devices where Office is below the security baseline for each channel. For Office 2016, check for KB5002887. For Click-to-Run editions, compare build numbers against Microsoft’s release information for July 2026.
- Deploy the updates through your normal software update mechanism. If using Configuration Manager, approve the July Office security updates for deployment.
- After deployment, run a compliance report to confirm that all managed devices have applied the patch. Note that Click-to-Run updates may download but not apply until Office applications are closed—so a device may report “pending” until the user restarts Office.
- Revisit any devices that remain out of compliance after your standard remediation window, and manually push updates or investigate blockers (like insufficient disk space, third-party add-in conflicts, or user-administrator separation issues).
For both groups: There are no official workarounds that eliminate the vulnerability without installing the update. Microsoft hasn’t published a configuration change, registry key, or Protected View setting that neutralizes CVE-2026-55139 specifically. So the patch is the only path to closure. However, general best practices—like opening documents from untrusted sources in Protected View, keeping your antivirus up to date, and enabling Attack Surface Reduction rules if you’re an organization—still help reduce the overall risk of document-based attacks.
What We’re Watching Next
Now that the patch is public, it’s typical for security researchers to dig into the fix and attempt to reconstruct the underlying flaw. While Microsoft’s assessment suggests exploitation is unlikely, past experience shows that a deterministic information-disclosure bug can sometimes be combined with other weaknesses to achieve code execution. We’ll be monitoring security advisories and public exploit databases for any signs that CVE-2026-55139 has moved beyond the theoretical.
In the meantime, treat this CVE as your monthly reminder to keep Office—and all your other software—up to date. The next Patch Tuesday is only a few weeks away, and the cycle continues. Staying current is the simplest, most effective defense against the trickle of memory bugs, logic flaws, and code-execution holes that surface each month. For now, update your Office, confirm the build number, and get back to work.