On July 14, 2026, Microsoft released a security patch closing a heap-based buffer overflow in Microsoft Word that could hand attackers control of a victim’s machine. The vulnerability, tracked as CVE-2026-55130, carries a CVSS 3.1 score of 7.8 and is rated Important. It affects a broad range of Office and SharePoint products, and while no active attacks have been spotted, the ease of exploitation makes this an update worth applying now.
What actually changed
CVE-2026-55130 is a classic memory-safety bug in Word’s document-parsing engine. When the application opens a maliciously crafted file, a heap buffer overflow lets an attacker corrupt memory and run arbitrary code—all within the user’s security context. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) says the attack complexity is low, no privileges are needed, but a user must be tricked into opening a booby-trapped document. Despite Microsoft’s “Remote Code Execution” label, this is not a network worm; it’s the familiar document-borne threat that has plagued Office for decades. The attacker delivers the payload through email, file shares, or download links and waits for a double-click.
Microsoft’s advisory confirmed the bug was neither publicly disclosed nor exploited when the patch landed. The Zero Day Initiative’s July 2026 review echoed that assessment, listing zero exploitation activity. A CISA analysis added that exploitation is not automatically triggered, though the potential technical impact is “total”—entire systems could be compromised if the attack succeeds.
The fix arrives via several update packages:
- For Microsoft 365 Apps (enterprise), Office 2019, Office LTSC 2021, and Office LTSC 2024, the fix is delivered through the standard Click-to-Run update channels. No manual action is typically needed if automatic updates are enabled.
- For MSI-based Word 2016 installations, the patch is KB5002890. It raises Word to build 16.0.5561.1000 and also bundles fixes for multiple other July vulnerabilities.
- For on-premises SharePoint, three separate updates are required:
- KB5002891 for SharePoint Enterprise Server 2016 (minimum build 16.0.5561.1001)
- KB5002883 for SharePoint Server 2019 (minimum build 16.0.10417.20175)
- KB5002882 for SharePoint Server Subscription Edition (minimum build 16.0.19725.20434)
These SharePoint packages also roll up fixes for several other flaws, so they carry a larger footprint than a single CVE. Moreover, the Subscription Edition update (KB5002882) has a known issue: after running the SharePoint Products Configuration Wizard (PSConfig), a defense-in-depth actor-token validation may fail. Microsoft instructs admins to run a PowerShell command that relaxes this check temporarily while retaining existing validations.
What it means for you
The practical risk splits along how you use Office and whether you manage servers.
For home users and small businesses:
- If you run Microsoft 365 (the subscription version of Office), you are likely already protected. Open any Office app, go to File > Account > Update Options, and click “Update Now” to be sure.
- If you still use Word 2016 (the perpetual, MSI-based version), you must install KB5002890. Check Windows Update or grab it from the Microsoft Update Catalog if automatic updates are not active.
- The attack depends on you opening a poisoned document. Even with the patch, avoid launching attachments from unknown senders or downloading files from untrusted sites. Protected View in Office adds a layer, but the patch is your primary shield.
For IT administrators:
- desktop fleet: Verify that all Microsoft 365 Apps installations are on the current channel and received the July 14 security release. Use your deployment tool (Configuration Manager, Intune, or Group Policy) to push KB5002890 to any MSI Word 2016 clients.
- SharePoint farms: This is a bigger lift. Each server in the farm needs the cumulative update, followed by PSConfig. Before starting:
- Install the prerequisite KB5002799 if you use SharePoint Workflow Manager.
- If your farm still runs the classic Workflow Manager, apply the server debug flag as documented by Microsoft.
- Plan a maintenance window, take backups, and test in a staging environment.
- After PSConfig, address the actor-token validation issue with the prescribed PowerShell command.
- Don’t treat the SharePoint update like a desktop patch; it can break workflows, search, or customizations if rushed.
- Layered defenses—email scanning, Microsoft Defender for Office 365, application allowlisting, and attachment sandboxing—are still valuable. But none replace the absent binary patch.
For developers:
- No code changes are required, but if your application interacts with Word documents programmatically (for example, via Office automation or a SharePoint service), ensure the hosting environment is patched. The vulnerability could be triggered by server-side document processing components, though Microsoft’s rating suggests user interaction is still a factor.
How we got here
Heap-based buffer overflows have been a staple of Office vulnerabilities for over two decades. The Word file format—whether legacy binary (.doc) or modern Open XML (.docx)—is complex, and malformed input can slip past parser checks. In CWE-122, the program writes beyond the bounds of a dynamically allocated memory buffer on the heap, overwriting adjacent data structures. Attackers exploit this to redirect execution flow and run shellcode.
Microsoft’s July 2026 Patch Tuesday delivered fixes for an unusually large batch of Word and SharePoint issues, indicating a deep sweep of the parsing code. The vulnerability wasn’t previously known, which in security parlance means it was a “true” zero-day only for the vendor. The absence of known exploitation suggests the patch beats attackers to the punch, but that advantage erodes once the reverse-engineering community examines the binary difference.
The affected product matrix spans a decade of software: from Word 2016 (still in extended support) to the latest Microsoft 365 Apps. SharePoint is included because many components leverage Office document-processing libraries on the server. This broad reach is why the July update deserves more attention than a routine Patch Tuesday item.
What to do now
-
Update Office immediately
- For Microsoft 365 and newer perpetual Office (2019, LTSC 2021/2024): Open any Office app, navigate to File > Account > Update Options > Update Now, or allow automatic updates.
- For MSI Word 2016: Use Windows Update or download KB5002890 from the Microsoft Update Catalog and install it. This update replaces KB5002879 and brings Word to build 16.0.5561.1000. -
Patch SharePoint farms
- Identify your version and download the correct package:- SharePoint Server 2016: KB5002891
- SharePoint Server 2019: KB5002883
- SharePoint Server Subscription Edition: KB5002882
- Read the associated Microsoft Knowledge Base articles in full, noting prerequisites and known issues.
- For Subscription Edition, the post-PSConfig PowerShell command is:
$farm = Get-SPFarm; $farm.Properties[“DisableActorTokenValidation”] = $true; $farm.Update() - Run the update during a planned maintenance window, then run PSConfig. Monitor the Unified Logging Service for errors.
-
Validate your builds
- Word 2016: Ensure it reports File > Account > About Word > build 16.0.5561.1000 or higher.
- SharePoint: Check the build number in Central Administration or via(Get-SPFarm).BuildVersion. -
Reinforce your perimeter
- While the patch is the fix, keep these practices active:- Educate users: don’t open unexpected attachments or links.
- Enable Protected View for documents from the internet.
- Use email anti-malware scanning and Safe Attachments if you have Microsoft Defender for Office 365.
- Consider application control solutions that block untrusted executables spawned by Office processes.
Outlook
As of July 15, 2026, the threat is contained: no public proof-of-concept, no active attacks. But that can change quickly. Historically, high-rated Office RCEs with low complexity attract commodity malware campaigns within weeks of a patch. The next Patch Tuesday may bring additional hardening. Watch the MSRC and CISA advisories for any uptick in exploitation. For now, the best response is a methodical rollout of the July updates to your Office and SharePoint platforms—before the reverse engineers turn this vulnerability into an exploit kit module.