Microsoft’s July 2026 security updates have squashed a memory-leak vulnerability in Word that could let attackers extract sensitive data from a system by tricking a user into opening a specially crafted document. The flaw, CVE-2026-55050, earned a 5.5 CVSS score and an ‘Important’ rating, and it affects nearly every supported version of Office across Windows, Mac, and even SharePoint Server.

What actually changed: a CWE-125 in the Word parser

The vulnerability is an out-of-bounds read (CWE-125). That means the Word application reads beyond the intended boundary of a memory buffer when processing certain malicious content. The result is a pure information-disclosure risk: memory contents that the process should not expose can leak to an attacker. Microsoft’s CVSS vector – CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N – confirms confidentiality impact is high, while integrity and availability remain untouched.

The attack is local in CVSS terms, but that only means the attacker needs the target to open or process a crafted file. No prior authentication or account access is required. The low attack complexity signals that exploiting the bug isn’t particularly difficult once the user interaction hurdle is cleared. Still, Microsoft’s own exploitability assessment is ‘Exploitation Unlikely’, and no public disclosures or active attacks were known when the advisory shipped on July 14, 2026.

Fixed versions and associated updates are as follows:

  • Microsoft 365 Apps on Windows: Install the latest Office security release from your configured update channel.
  • Office 2019 and Office LTSC 2021 / 2024 on Windows: Install the July 2026 Office security update.
  • Office for Mac (Microsoft 365, LTSC 2021, LTSC 2024): Update to version 16.111.26071215 or later.
  • Word 2016 (MSI-based edition): Install KB5002890, which brings Word to version 16.0.5561.1000 and replaces KB5002879. Click-to-Run installations (e.g., Microsoft 365 Apps) are not covered by this standalone package; they get the fix through their regular update channel.
  • SharePoint Server 2016: Update to at least build 16.0.5561.1001.
  • SharePoint Server 2019: Update to at least build 16.0.10417.20175.
  • SharePoint Server Subscription Edition: Install KB5002882 (requires build 16.0.19725.20434). This update bundles fixes for multiple SharePoint and Word vulnerabilities, not just CVE-2026-55050.
  • Office Online Server: Install KB5002884.

What it means for you

For home users and students

If you open documents from email attachments, shared drives, or the web, this is a quiet but real risk. The good news: simply updating Microsoft 365 Apps (if you use a subscription) or applying the relevant Office security update essentially eliminates the threat. No workarounds are required, and you don’t need to change how you work. On a Mac, make sure your Office apps are at version 16.111.26071215 or later.

If you’re still running Word 2016 as a standalone copy, check whether it’s an MSI installation. Microsoft’s KB5002890 is only for MSI-based installs. Many home users have Click-to-Run Office from an older retail purchase. If you’re unsure, open Word, go to File > Account, and look at the “About Word” section. It will show whether you’re using a Microsoft 365 subscription or a one-time purchase. If you see “Click-to-Run”, your update will come through Windows Update or the Office update mechanism automatically, not through a standalone KB.

For IT administrators and enterprise desktop teams

Security patching is rarely just about one CVE, and July 2026’s Patch Tuesday was unusually large. Still, CVE-2026-55050 deserves a spot on your deployment schedule for all endpoints that run Word, especially if users routinely open documents from external sources. Because the attack requires user interaction, it’s the kind of vulnerability that a determined adversary can pair with social engineering. Prioritize systems in legal, financial, HR, and any department dealing with sensitive information.

For MSI-based Word 2016, compliance scanning is straightforward: look for KB5002890. But for Click-to-Run installations, you’ll need to verify the actual Office version number against Microsoft’s July 2026 security release documentation. The absence of KB5002890 doesn’t mean a Click-to-Run device is vulnerable—it simply means that particular patch isn’t the delivery vehicle.

For SharePoint and Office Online Server administrators

This is where the impact broadens significantly. Word’s document-processing engine isn’t confined to the desktop. When a user uploads a .docx to a SharePoint library and previews it via the browser, Word server-side components render that document. Microsoft’s advisory explicitly lists SharePoint Server 2016, 2019, and Subscription Edition as affected, along with Office Online Server.

Applying the SharePoint updates is more complex than clicking “Check for updates”. For SharePoint Server Subscription Edition, KB5002882 requires:
- Installing KB5002799 first if you use SharePoint Workflow Manager.
- Enabling a farm debug flag if you still run the Classic Workflow Manager.
- After running PSConfig, using PowerShell to disable a defense-in-depth actor-token audience validation feature that can cause a regression. Microsoft says existing validation checks remain active, but the extra step is mandatory.

For Office Online Server, KB5002884 must be deployed separately. Do not assume that patching SharePoint covers every Office component in your farm. Inventory your servers, verify build numbers, and test document rendering after the update.

How we got here

Memory-corruption vulnerabilities in Office parsers are nothing new. Word, Excel, and PowerPoint have been vectors for information disclosure and code-execution attacks for decades. The shift to cloud-connected, co-authoring-friendly document formats hasn’t eliminated the underlying complexity of file-format parsers. CVE-2026-55050 is another reminder that even a “moderate” CVSS score can represent a practical risk when the attack surface is measured in millions of users who open documents as part of their daily jobs.

July 2026’s Patch Tuesday was a heavy one for Microsoft. Alongside this Word flaw, the company fixed actively exploited vulnerabilities in other products. The forum source noted that CVE-2026-55050 “is less urgent than the actively exploited vulnerabilities” in that release, but that’s a relative statement. Left unpatched, it becomes an attractive target for attackers who can craft or purchase a proof-of-concept after the advisory’s publication.

The vulnerability was confirmed through Microsoft’s internal verification processes, but it was not discovered in the wild. That “Report Confidence: Confirmed” label in the CVE means the technical details are credible, even if no known attacks exist yet. The National Vulnerability Database was still enriching its entry a day after the advisory, meaning early adopters of the patch are acting on Microsoft’s guidance alone.

What to do now

  1. Deploy Office updates as part of your July Patch Tuesday cycle. For most organizations, that means approving the Microsoft 365 Apps security update and any relevant Office 2019/LTSC updates in your patch management tool. Check your update channels to ensure you’re receiving the latest build.

  2. Apply the standalone KB5002890 to all MSI-based Word 2016 installations. If you manage a mixed environment, run a report to identify MSI installs separately from Click-to-Run. Use your software inventory tool to flag all systems where Word 2016 is installed and KB5002890 is missing.

  3. Update Mac devices running Office to version 16.111.26071215 or later. This can be done through Microsoft AutoUpdate or your MDM policy. Verify the version by opening Word and going to the About menu.

  4. Patch SharePoint farms completely. For each farm, verify the target build number shown in Central Administration and install the relevant cumulative update. Follow Microsoft’s explicit pre- and post-installation steps for Subscription Edition, especially the Workflow Manager prerequisite and the PowerShell actor-token configuration. Do not skip the debug flag if you use Classic Workflow Manager.

  5. Update Office Online Server with KB5002884. If you provide browser-based Office document viewing or editing, this is a separate server role that might be overlooked in vulnerability scans focused on SharePoint web front ends.

  6. Validate your deployment. After patching, spot-check that Word documents open correctly and that SharePoint document previews and workflows function as expected. The post-update PowerShell step for Subscription Edition is designed to prevent a regression, but you’ll want to confirm that document handling remains stable.

Outlook

CVE-2026-55050 will likely fade from headlines quickly given the lack of active exploitation and its ‘Important’ rating. However, document-based information disclosure bugs have a habit of reappearing in new variations. The fact that the affected Office components stretch from consumer Mac apps to enterprise SharePoint farms shows how deeply embedded Word’s parsing engine is across the Microsoft ecosystem. Watch for any proof-of-concept code that might surface in the weeks after the advisory; even ‘Exploitation Unlikely’ status can change if reliable exploit code becomes public. For now, applying the July update is the clearest path to closing this particular leak.