Microsoft dropped its July 14, 2026 security updates on schedule, and buried inside the usual payload is a fix for CVE-2026-56192, an information-disclosure vulnerability in Microsoft Office. The flaw, rated medium severity at 5.5 out of 10, allows a local attacker to read memory contents from an Office process—potentially exposing sensitive documents, credentials, or internal system data. While it doesn’t carry the panic-inducing remote-code-execution label, the patch touches every major version of Office, from Microsoft 365 Apps to the on-premises SharePoint Server farms that power enterprise collaboration.

The advisory offers no sign of active exploitation, but for any organization handling confidential material inside Office, ignoring this update would be a mistake. Here is exactly what changed, who needs to act, and how to get the fix deployed.

What the July 14 Patch Actually Fixes

CVE-2026-56192 is an out-of-bounds read flaw classified under CWE-125. In plain terms, a piece of Office code reads memory beyond the boundary of a buffer, allowing it to fetch data that was never meant to be exposed. Microsoft’s CVSS 3.1 vector string breaks down as:

  • Attack Vector: Local (AV:L)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: Required (UI:R)
  • Scope: Unchanged (S:U)
  • Confidentiality Impact: High (C:H)
  • Integrity Impact: None (I:N)
  • Availability Impact: None (A:N)

The “local” designation doesn’t mean an attacker must physically sit at your keyboard. It signals that the vulnerable code is reached within a local execution context rather than over the network—through a process already running on the machine. The requirement for user interaction suggests that simply opening a file or triggering a specific Office feature may be necessary for exploitation, but Microsoft hasn’t publicly identified the exact trigger mechanism.

Crucially, “no privileges required” indicates that once an attacker has any foothold—even a standard user account—no elevation is needed to exploit the flaw. In enterprise incident chains, an information leak like this can serve as a stepping stone, helping an adversary map memory contents, extract document fragments, or locate tokens that enable lateral movement. That is why a medium severity doesn’t automatically mean “low priority” for environments that value data confidentiality.

Who Is Affected? A Wide Net Across Office and SharePoint

The affected-product list is unusually long. CVE-2026-56192 isn’t limited to the latest click-to-run versions—it reaches back into legacy installations and branches out to server products:

  • Microsoft 365 Apps for enterprise (all update channels)
  • Office 2016 (MSI-based installations, both 32-bit and x64)
  • Office 2019 (retail and volume-licensed)
  • Office LTSC 2021 and LTSC 2024
  • Office for Mac, including LTSC for Mac 2021 and LTSC for Mac 2024
  • SharePoint Server 2016, 2019, and Subscription Edition

The SharePoint inclusion is what turns this from a typical desktop-patch cycle into a server-maintenance task. While a workstation Office update can often be delivered silently through click-to-run servicing or Windows Update, server farms require careful planning: you must identify all roles, verify language packs, take backups, follow a tested farm-update process, and run post-installation configuration steps.

Microsoft has published the following minimum patch levels for the server products:

Product Patched Build Number
SharePoint Server 2016 16.0.5561.1001
SharePoint Server 2019 16.0.10417.20175
SharePoint Server Subscription Edition 16.0.19725.20434

For Office 2016, the advisory marks version 16.0.5561.1000 and earlier as affected. Mac installations require version 16.111.26071215 or higher. For all other Office editions, Microsoft directs administrators to the Office Security Releases portal rather than a single build number, because the servicing track depends on your chosen update channel (Current Channel, Monthly Enterprise Channel, etc.). This means that a device marked “fully updated” by Windows Update might not have the latest Office security fix if it is on a deferred channel; endpoint managers must verify the installed version against the channel’s specific release history.

Why a Medium-Severity Bug Still Demands Immediate Patching

CVE-2026-56192 doesn’t bring the kind of severity rating that makes headlines. But for organizations that handle financial reports, legal documents, intellectual property, or personal data inside Office applications, any memory leak matters.

Consider what runs inside an Office process. A Word instance might have open a contract draft; an Excel workbook could contain pivot tables of pricing data; Outlook routinely caches email content and authentication tokens. An attacker who can carefully trigger an out-of-bounds read—perhaps after getting a user to open a specially crafted document—might reconstruct snippets of this data. The confidentiality impact is scored as “high” for a reason: the information revealed could be significant, even if obtaining it requires a local foothold.

In practice, that local foothold is not hard to imagine. An employee opening a weaponized email attachment, a secondary infection from malware that has already bypassed perimeter defenses, or a malicious insider with legitimate user access could all create the conditions for exploitation. The patch eliminates the risk, and there is no workaround: the only mitigation Microsoft offers is to install the update.

The advisory also includes a generic explanation of a confidence metric, but that is not a statement that this particular vulnerability is publicly disclosed or under attack. As of July 15, Microsoft has not reported exploitation in the wild, nor has a proof of concept emerged. Still, security teams should monitor the vulnerability’s NVD entry (currently “Awaiting Enrichment”) for any change in status that might raise urgency.

Your Patch Action Plan

For Home Users and Small Businesses

If you use Microsoft 365 or a consumer Office version, the fix likely arrives automatically, but you should verify:

  • Open any Office application (Word, Excel).
  • Go to File > Account > Update Options > Update Now.
  • Confirm the version number matches your channel’s latest release.

On macOS, launch Microsoft AutoUpdate or check for updates within an Office app under Help > Check for Updates.

For Enterprise IT Administrators

Desktop Office:
- Use Microsoft Endpoint Configuration Manager, Intune, or your patch management tool to approve and deploy the July 2026 security updates for Office.
- For click-to-run installations, verify the update channel and confirm that the target build is listed on Microsoft’s release history page for that channel.
- For MSI-based Office 2016, Microsoft’s July catalog lists specific KB packages; deploy the appropriate one (x86 or x64).

SharePoint Server:
- Identify all servers in the farm and their roles (front-end, application, search, etc.).
- Review Microsoft’s documentation for the correct update order: typically, language packs first, then the server update, then the farm configuration wizard.
- Before beginning, run stsadm -o localupgradestatus and confirm no pending operations exist, then take full backups.
- Install the July cumulative update (KB5002882 for Subscription Edition, KB5002892 for SharePoint 2016 language pack, or the equivalent for 2019).
- After installation, run the SharePoint Products Configuration Wizard on each server to complete the patch.
- Verify the farm build number against the table above.

Mac fleets managed via MDM should use the vendor’s instructions to deploy the latest Office for Mac update; confirm version 16.111.26071215 or later.

The Unanswered Questions

Microsoft’s advisory leaves several details opaque. We do not know which Office component contains the out-of-bounds read, what file format or action triggers it, or whether the memory leakage is deterministic. The NVD’s pending enrichment could eventually add a CVSS 4.0 assessment or a CWE mapping with more nuance. Until then, defenders must act on what is known: there is a patch, and it closes a confirmed vulnerability.

Any speculation about remote exploitation through SharePoint, for example, goes beyond the advisory’s explicit statements. The rating is local, meaning an attacker must already have a local means to execute code. SharePoint servers do contain vulnerable Office code, which is why they need patching, but this does not imply that an internet-facing SharePoint site is an attack vector for this CVE. Stick to the facts, but patch thoroughly—both desktops and servers.

What Comes Next

The next Patch Tuesday is August 11. Between now and then, watch for two developments: first, whether NVD enriches the CVE record with additional analysis that might change the risk calculus; second, whether any security vendor publishes a proof of concept. In the meantime, treat the July Office updates as routine but necessary. Run a compliance scan across your endpoints and server farms today, document exclusions, and close the vulnerability window. The cost is a standard update cycle; the benefit is locking down a leak before anyone figures out how to turn it into a data breach.