Microsoft on July 14 released security updates for a memory leak vulnerability in Office and SharePoint that could allow attackers to read sensitive data from a system’s memory. The bug, tracked as CVE-2026-55028, affects nearly every supported version of Microsoft Office on Windows and macOS, as well as on-premises SharePoint servers. While exploitation requires a user to open a malicious file, the flaw’s high confidentiality impact and broad footprint make it a priority for patch management teams.
A Closer Look at the Flaw
CVE-2026-55028 is an out-of-bounds read vulnerability, classified under CWE-125. When triggered, an affected Office component reads memory beyond the limits of an allocated buffer, potentially exposing data that was never meant to be accessible. Microsoft marks it as ‘Important,’ despite a CVSS 3.1 base score of 5.5—which falls in the ‘Medium’ numerical band. The vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, meaning:
- Attack vector: Local. An attacker must get a malicious file onto the target system, but doesn’t need physical access. Typical delivery methods include email attachments, cloud shares, or downloaded archives.
- Attack complexity: Low. No special conditions are required for exploitation.
- Privileges required: None. The attacker doesn’t need an existing foothold.
- User interaction: Required. The victim must open or otherwise process malicious content.
- Confidentiality impact: High. Successful exploitation could reveal sensitive memory contents.
- Integrity and availability: None. The flaw does not allow data modification or disruption.
The gap between the ‘Important’ severity label and the 5.5 score is notable. It underscores that CVSS numbers don’t always reflect the operational risk for a specific environment. A local, user-interaction-dependent bug may seem tame, but when it can silently leak credentials, encryption keys, or other secrets from a running Office process, the real-world damage can escalate quickly.
Which Products Are Affected
Microsoft’s advisory lists a wide range of affected editions:
- Microsoft 365 Apps for enterprise (Windows)
- Office 2016 (MSI), versions before 16.0.5561.1000
- Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Microsoft 365 for Mac, Office LTSC for Mac 2021, Office LTSC for Mac 2024 before version 16.111.26071215
- SharePoint Enterprise Server 2016 (builds before 16.0.5561.1001)
- SharePoint Server 2019
- SharePoint Server Subscription Edition
Desktop and Mac users running Click-to-Run versions get the fix through their regular Office update channel. MSI-based Office 2016 installations—still prevalent in organizations with legacy add-ins—require a direct patch. The Mac fix brings Office to version 16.111.26071215 across all modern Office for Mac editions.
SharePoint’s inclusion is critical. Many admins think of Office CVEs as client-only problems, but SharePoint servers rely on Office components for document parsing and rendering. An attacker who manages to upload a malicious file to a SharePoint library could potentially trigger the vulnerability server-side, leaking memory from the web front end. That elevates the stakes for server farms that handle sensitive documents.
What It Means for You
For Home and SMB Users
The risk is manageable. If you use Microsoft 365 or a recent Office version, automatic updates likely patched this already. Check your Office update status: in Word or Excel, go to File > Account > Update Options > Update Now. For Mac users, open any Office app, go to Help > Check for Updates, and ensure you’re on version 16.111.26071215 or later. Because exploitation requires you to open a malicious file, standard safe-computing habits—avoiding unsolicited attachments, not enabling macros from unknown sources—remain your best first line of defense.
For IT Administrators
This CVE demands more than a routine click-to-run refresh. The patch footprint spans desktop Office and server-side SharePoint, each with its own servicing mechanism. Here’s what you need to verify:
- Microsoft 365 Apps: Confirm that July 2026 security builds have deployed to all managed endpoints. Check the build numbers per channel against Microsoft’s Office security release table. Don’t rely solely on policy reports—validate a sample of machines.
- Office 2016 (MSI): Update to version 16.0.5561.1000 or later via Microsoft Update, WSUS, or the standalone package.
- Office for Mac: Ensure all Macs report version 16.111.26071215 or higher. The update is delivered through Microsoft AutoUpdate.
- SharePoint Servers: This is where things get complicated. The July updates bundle multiple security fixes, not just CVE-2026-55028. Administrators must:
- For SharePoint Server Subscription Edition, install Workflow Manager update KB5002799 before applying the main security update KB5002882 if you use SharePoint Workflow Manager. After running PSConfig, you must also run specific PowerShell commands to disable a defense-in-depth feature that can cause regressions. Detailed steps are in the KB article.
- For SharePoint Server 2016, apply both the server package KB5002891 and the language pack KB5002892, because CVE-2026-55028 is associated with the language pack fix. Build number after update should be 16.0.5561.1001.
- For all SharePoint farms, back up the farm before starting, test in a staging environment, and verify workflow initiation, search, and document rendering after the update.
Microsoft notes that no known exploits exist as of July 14, and SANS Internet Storm Center confirms zero public disclosures. Still, the low attack complexity and high confidentiality impact argue against waiting. A deliberate attacker could combine this with a social engineering campaign to exfiltrate sensitive data without triggering alarms.
How We Got Here
CVE-2026-55028 arrived as part of Microsoft’s July 2026 Patch Tuesday. It follows a pattern of memory-safety issues in Office’s legacy codebase—often tied to parsers for file formats like .doc or .xls. Microsoft hasn’t publicly named the vulnerable component, but the broad product sweep suggests it lies in a core library that handles document structures across Word, Excel, and possibly SharePoint’s document conversions.
The National Vulnerability Database still lists the CVE as “Awaiting Enrichment,” meaning NIST hasn’t provided an independent severity analysis. That’s not unusual for freshly published Microsoft CVEs; the NVD often lags. The confidence level for the vulnerability’s existence is “Confirmed,” because Microsoft is both the product vendor and the CVE Numbering Authority. Technical details remain sparse, which limits signature-based detection but doesn’t make the patch any less urgent.
What to Do Now
Patch prioritization should be straightforward, but the SharePoint piece introduces dependencies. Use this checklist:
- Scan all endpoints and servers for Office and SharePoint installations. Don’t forget Macs and any Office 2016 MSI holdouts.
- For Click-to-Run Office: Force a manual update check or validate that automatic updates have caught up. Target the July 14, 2026 security baseline.
- For Office 2016 MSI: Deploy the update via your management pipeline. The corrected version is 16.0.5561.1000.
- For Mac Office: Verify version 16.111.26071215 in any Office app (About menu).
- For SharePoint Subscription Edition:
- If Workflow Manager is installed, apply KB5002799 first.
- Install KB5002882 on all servers in the farm.
- Run PSConfig across the farm.
- Execute the PowerShell commands from the KB article to disable the audience validation feature if instructed.
- Test critical workflows. - For SharePoint 2016: Install KB5002891 and KB5002892 (language pack). Run PSConfig. Confirm build 16.0.5561.1001.
- For SharePoint 2019: The July cumulative update addresses the same vulnerability; follow the same process.
After patching, monitor for any unusual document-handling errors or workflow failures, especially in SharePoint. The Subscription Edition update also fixes a non-security regression from June, so deploying it kills two birds with one stone.
Outlook
CVE-2026-55028 may not make headlines like a remote code execution bug would, but information disclosure flaws are bread and butter for advanced persistent threats. Attackers chain them with other exploits to escalate privileges or exfiltrate credentials. With no reliable detection method for the memory leak, the only universal defense is patching. Microsoft will likely include deeper fixes in future Office versions as the underlying code gets modernized, but for now, admins should treat this as a routine yet critical update cycle. Watch for any post-patch reports from the community—sometimes the first sign of in-the-wild exploitation surfaces in forums and incident response circles well before Microsoft updates its advisory.