Microsoft released a security update on July 14, 2026, that patches a heap-based buffer overflow in Microsoft Office, tracked as CVE-2026-50301. The flaw—rated 7.8 on the CVSS 3.1 scale—could allow a remote attacker to execute arbitrary code on a victim’s machine simply by convincing them to open a malicious document. Though no active exploitation has been detected yet, the fix is urgent for anyone running Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, or Microsoft 365 Apps.

What the July 14 Patch Actually Fixes

CVE-2026-50301 is caused by a heap-based buffer overflow (CWE-122) in an unspecified Office component. When Office processes a specially crafted file, it can write data beyond the allocated memory buffer, corrupting adjacent heap data and potentially allowing an attacker to hijack program execution. Microsoft’s Security Response Center (MSRC) classifies the impact as remote code execution because the attacker does not need physical access to the target—only the ability to deliver a malicious file that the user opens locally.

The security update corrects the memory handling issue, preventing the overflow from being triggered. For Office 2016 Click-to-Run editions, the fix arrives in build 16.0.5561.1000. MSI-based Office 2016 installations receive individual component updates, including patches for Word, Excel, PowerPoint, and Visual Basic for Applications—these are bundled in KB5105810 and other July 2026 security updates. For Office 2019, LTSC versions, and Microsoft 365 Apps, the patch is applied through their respective servicing channels; Microsoft’s Office update history lists the specific builds for each release track.

Affected Office Versions and Builds

The CVE record explicitly states that Office 2016 versions earlier than 16.0.5561.1000 are vulnerable. However, Microsoft’s advisory also covers:
- Microsoft Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Microsoft 365 Apps for Enterprise (all servicing channels)

All architectures (32-bit and 64-bit) are impacted. The table below summarizes the fix points for common installations:

Product Fix Build / Update How to Verify
Office 2016 (Click-to-Run) 16.0.5561.1000 File > Account > About Word
Office 2016 (MSI-based) KB5105810 (components vary) Programs and Features > View installed updates
Office 2019 (Retail) Click-to-Run July 14 release File > Account > Update Options > Update Now
Office LTSC 2021/2024 Volume-licensed Click-to-Run, July 14 security level Check version in any Office app
Microsoft 365 Apps Monthly Enterprise, Current Channel, etc., July 14 update File > Account; verify you are on a build dated July 14, 2026, or later

Why a Malicious Document Could Hand Over Your PC

The CVSS vector for CVE-2026-50301 reads AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The “L” for local attack vector often confuses readers because the vulnerability is labeled “Remote Code Execution.” In practice, the attacker is remote (they email you a file, host it on a website, or share it via cloud storage), but the exploit triggers locally when Office opens and parses the file. This is a standard pattern for document-based malware—similar to past Excel or Word exploits that required a single click.

User interaction is required (UI:R), meaning you have to open or otherwise cause Office to process the weaponized content. But Microsoft has not specified what that interaction entails. It may not require enabling macros, dismissing Protected View, or clicking an “Enable Editing” button—a simple double-click on a file could be enough. Once the overflow fires, an attacker can run code with the same permissions as the logged-in user. With typical Windows setups granting users local administrator rights, a successful exploit often leads to full system compromise: stealing files, installing ransomware, or moving laterally through a corporate network.

The Road to CVE-2026-50301

This vulnerability was disclosed as part of Microsoft’s July 2026 Patch Tuesday—a scheduled monthly release that this time also included fixes for other Office components, Windows, and Edge. The flaw was reported through Microsoft’s coordinated vulnerability disclosure program; the company has not publicly credited a specific researcher or organization. As of publication, CVE-2026-50301 is not listed as publicly known or exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also recorded no active exploitation but assigned the flaw a “potentially total” technical impact rating in its initial assessment.

Office has long been a prime target for attackers because of its ubiquity. Heap overflow bugs in productivity software are particularly dangerous—they often evade memory-safe mitigations when data flows through complex parsers. Microsoft’s Security Development Lifecycle (SDL) incorporates fuzzing and static analysis, but given the billions of lines of legacy code in Office, some vulnerabilities inevitably slip through. CVE-2026-50301 is a stark reminder that even with modern defenses like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), a single malformed file can bypass these barriers if the underlying code is flawed.

Immediate Steps to Secure Your Office Installation

  1. Update immediately. For home users, open any Office application, go to File > Account > Update Options > Update Now. Alternatively, run Windows Update—Microsoft distributes Office Click-to-Run updates through that channel as well. MSI-based installations should check Windows Update and apply all pending Office updates.
  2. Verify the build number. Don’t assume the update took effect. In any Office app, go to File > Account and look under “About.” For Click-to-Run 2016, you should see version 16.0.5561.1000 or higher. For Microsoft 365 Apps, use Microsoft’s update history page to match your channel’s expected build.
  3. For enterprise admins: Audit your fleet with a tool like Microsoft Configuration Manager or equivalent. Identify machines running affected Office versions and push the July 2026 security updates. If you use Group Policy to configure Office updates, verify that the “Target Version” policy does not pin devices to an older vulnerable build. Also confirm that Office Click-to-Run is not paused on a release older than the fix.
  4. Leverage security controls as a safety net. While patching is the only complete fix, robust email filtering, attachment sandboxing, and disabling automatic execution of Office macros via Group Policy can reduce the risk of weaponized documents reaching users. Enabling Protected View for Internet-originated files (a default in modern Office) adds a layer of defense, but as noted, the exploit may not require bypassing Protected View.
  5. Practice least privilege. If users do not need local administrator rights, revoke them. A successful exploit running under a standard user account is far less damaging than one with admin privileges, though attackers often chain such vulnerabilities with elevation-of-privilege flaws.

Watch for Post-Patch Exploitation Attempts

No public proof-of-concept (PoC) code exists yet, but history shows that attackers frequently reverse-engineer Microsoft patches to develop exploits within days or weeks. The Office endpoint attack surface is massive, and document-based lures are perennial favorites in phishing campaigns. Administrators should treat the July 14 Office update with the same urgency they would a more obviously critical network service patch.

Microsoft’s advisory does not list any mitigation that would permanently block exploitation without the update—no registry key or configuration switch closes the heap overflow. If you cannot immediately deploy the patch across all devices, focus on your most exposed users (those who frequently open documents from external sources) and strengthen your email and endpoint detection defenses.

CVE-2026-50301 is, at heart, a classic user-interaction-required remote code execution bug. But “classic” does not mean harmless. Patch now, verify your builds, and keep a close eye on threat intelligence feeds for signs that the vulnerability has transitioned from Patch Tuesday bulletin to in-the-wild weaponization.