Microsoft’s July 14, 2026 security release patches an information-disclosure vulnerability that affects Microsoft 365 Apps, every supported perpetual Office release, Office for Mac, and on-premises SharePoint Server. The flaw, tracked as CVE-2026-55047, could allow an attacker who convinces a user to open a malicious file to read data that should have stayed inside the application’s memory – without leaving obvious signs of an attack.

The Updates at a Glance

At its core, the vulnerability is an out-of-bounds read (CWE-125) in Office’s processing of certain file formats. When the software reads beyond the intended memory buffer, fragments of documents, internal application state, or even credentials can be exposed to the attacker. Microsoft assigned the bug a CVSS 3.1 base score of 5.5, rating it “Important.” The attack vector is local, meaning an attacker must either have direct access to the target machine or trick a user into opening a crafted file. No privileges are required, but the victim must interact in some way.

Unlike many Office vulnerabilities that threaten remote code execution, this one carries no integrity or availability impact. Its sole consequence is confidentiality loss, and Microsoft judges that loss as “high.” That is enough to warrant prompt patching, especially given how easily an information leak can be chained with other exploits to bypass defensive barriers.

What It Means for You

For everyday users: Whether you use Microsoft 365 on Windows, a perpetual version of Office 2016 or 2019, or Office for Mac, you need to install the July security updates. For the subscription-based Microsoft 365 Apps, this typically happens automatically if your update channel is current. However, if you’ve deferred updates or are on a semi-annual channel, the fix may not arrive until your IT department approves it. Check your version: On Windows, any release older than the July 2026 security update is vulnerable; on Mac, you need version 16.111.26071215 or later.

For IT administrators managing endpoints: The threat surface is wide. CVE-2026-55047 affects not just Word or Excel but the entire Office suite. Attackers might use an infected file in any format that triggers the vulnerable parser – a detail Microsoft hasn’t disclosed. That means every department that handles unsolicited attachments (finance, HR, legal, sales) is a potential target. Even with email filters and attachment sandboxing, a motivated adversary might still find a way. Patching removes the underlying flaw.

For SharePoint administrators: The stakes are higher. On-premises SharePoint Server 2016, 2019, and Subscription Edition run Office components that are also vulnerable. Unlike Click-to-Run clients, these servers need manual patching, and the July cumulative update package (KB5002882 for Subscription Edition) bundles fixes for multiple vulnerabilities along with important workflow-related changes. Microsoft warns that organizations using SharePoint Workflow Manager must install KB5002799 before applying this update. Farms still on the Classic Workflow Manager must enable a server debug flag to keep it working. After running PSConfig, admins must also adjust a farm setting to avoid a regression from a defense-in-depth actor-token validation feature. Testing and validation before deployment are essential.

Who Is Affected – and How

The CVE advisory lists these affected products and their required update levels:

  • Microsoft 365 Apps for enterprise (32- and 64-bit): latest July security release via your update channel.
  • Office 2016 (click-to-run and MSI): version 16.0.5561.1000 or later.
  • Office 2019: supported security release from July 2026.
  • Office LTSC 2021 and Office LTSC 2024: corresponding July updates.
  • Microsoft 365 / Office 365 for Mac: version 16.111.26071215 or later.
  • Office LTSC for Mac 2021 / 2024: version 16.111.26071215 or later.
  • SharePoint Enterprise Server 2016: build 16.0.5561.1001 or later.
  • SharePoint Server 2019: build 16.0.10417.20175 or later.
  • SharePoint Server Subscription Edition: build 16.0.19725.20434 or later (KB5002882).

For home users and small businesses, updating Office is usually a matter of letting the automatic updates run or clicking “Update Now” in the app’s account or help menu. Mac users should check for updates through Microsoft AutoUpdate or the App Store, depending on how Office was installed.

How We Got Here

July 2026 was an unusually heavy Patch Tuesday. Microsoft addressed 570 vulnerabilities across its product line, more than 100 of which were information-disclosure bugs like CVE-2026-55047, according to BleepingComputer. That sheer volume makes it easy for a single Important-rated flaw to get lost in the noise, but its reach – covering nearly every Office and SharePoint installation still supported – makes it a critical item for defenders.

The vulnerability appears to have been discovered internally or through coordinated disclosure; Microsoft has not linked it to any active exploit campaign. The National Vulnerability Database was still enriching its independent record as of July 15, and CISA’s initial SSVC assessment noted no known exploitation and ranked the technical impact as partial.

Immediate Steps You Should Take

  1. Identify where Office and SharePoint run. Inventory all endpoints with Office 2016, 2019, LTSC 2021/2024, or Microsoft 365 Apps, including Macs. For SharePoint, map every server in the farm.
  2. Apply the July security updates. For Microsoft 365 Apps, ensure your update channel isn’t blocking the release. For perpetual versions, download and install the specific security packages from the Microsoft Download Center or via Windows Server Update Services (WSUS).
  3. Verify build numbers. After updating, spot-check a few devices to confirm they’ve reached the required versions listed above. A single missed machine can leave a gap.
  4. Pay special attention to SharePoint farms. Before patching, read Microsoft’s guidance for KB5002882 thoroughly. Install any prerequisite updates (KB5002799 for Workflow Manager if applicable), run a test farm upgrade if possible, and complete the post-configuration steps to avoid broken workflows or authentication issues.
  5. Don’t wait for exploits to appear. While no in-the-wild attacks have been reported, the “local” and “user interaction” requirements mean a successful attack might be silent. An information leak doesn’t crash the app or trigger alerts; it just quietly steals data.

The Bigger Picture

CVE-2026-55047 is a reminder that not all serious vulnerabilities make headlines. It won’t let an attacker take over a PC, but it can enable more damaging attacks by leaking the data needed to bypass mitigations. In a world where defense-in-depth is standard practice, leaving a known information-disclosure bug unpatched is a gift to determined adversaries.

Microsoft has not disclosed the exact file formats or components involved, so signature-based intrusion detection systems can’t reliably catch exploitation attempts. Patching is the only sure remediation. With the upcoming August update cycle, watch for additional fixes that may build on this month’s work, particularly for Office components that share code with SharePoint. Even if you typically delay patches by a week or two, this is one update worth moving up the schedule.