On July 14, 2026, Microsoft pushed out security updates for Office that close CVE-2026-55042, a vulnerability that lets attackers extract sensitive information by tricking you into opening a booby-trapped file. The flaw, rated 5.5 on the CVSS scale, touches nearly every modern Office deployment: Microsoft 365 Apps, perpetually licensed Office 2016 and 2019, and even the latest LTSC 2021 and 2024 releases on Windows and Mac. No active attacks have been spotted, but the update is one you should not postpone.
What’s Actually Broken—and Fixed
The core of CVE-2026-55042 is a classic CWE-908: Use of Uninitialized Resource. When Office handles certain content, an internal component can access memory or an object that hasn’t been properly initialized. Under normal conditions, that’s just sloppy code. But a specially crafted file can force the application to read residual data from that uninitialized state and make it observable to an attacker. Microsoft hasn’t detailed exactly what information could leak—it might be document contents, memory fragments, or metadata—but the CVSS vector scores confidentiality impact as High, meaning the exposed data could be highly sensitive.
The attack itself is local by design, but that term often misleads. The vector string AV:L doesn’t demand an attacker already has logged-in access to your machine. Instead, it means the exploit must run on the target system after a malicious file lands there. That file could arrive through email, a shared drive, a cloud sync folder, or a download link. The attacker then relies on social engineering: you open the file, Office processes it, and the flaw leaks information. The attack complexity is low and requires no special privileges, but it does need that user interaction.
Crucially, this is not a remote code execution bug. The integrity and availability impacts are None, so the vulnerability cannot modify data or crash your system. It’s a pure information disclosure, which often gets deprioritized. But leaked data can fuel further attacks—an exposed password, internal path, or document contents might be the foothold for a later ransomware strike or credential theft. For anyone handling legal contracts, medical records, financial statements, or corporate secrets, the risk is concrete.
Who Has to Worry
The CVE’s affected-product list is broad, covering both Click-to-Run and MSI-based installations, 32-bit and 64-bit. Here’s the breakdown:
| Edition | Platform | Fix Threshold / Guidance |
|---|---|---|
| Microsoft 365 Apps for enterprise | Windows (32/64-bit) | Install the July 14 security update from your servicing channel |
| Office 2016 (MSI) | Windows (32/64-bit) | Version 16.0.5561.1000 or later |
| Office 2019 | Windows (32/64-bit) | Install latest update via Click-to-Run (no single build number given) |
| Office LTSC 2021 | Windows (32/64-bit) | Same as above—update through your channel |
| Office LTSC 2024 | Windows (32/64-bit) | Same as above |
| Microsoft 365 for Mac | macOS | Version 16.111.26071215 or later |
| Office LTSC for Mac 2021 | macOS | Version 16.111.26071215 or later |
| Office LTSC for Mac 2024 | macOS | Version 16.111.26071215 or later |
If your organization still runs Office 2016 MSI editions, the version number gives a clean compliance check: open any Office app, go to File > Account, and confirm the build is at least 16.0.5561.1000. For Click-to-Run editions—which includes all Microsoft 365 subscriptions and perpetual Office 2019/LTSC—the update comes through your assigned channel (Current Channel, Monthly Enterprise, Semi-Annual, etc.), not a single MSI package. The July 14 release reaches those channels automatically, but you must verify that clients have actually pulled the new build. Mac users should look for version 16.111.26071215; if Microsoft AutoUpdate has been deferred or disabled, you’ll miss the fix.
Office 2019 adds an extra wrinkle. Its mainstream support ended on October 14, 2025. Microsoft still issues security fixes at its discretion, but there’s no long-term commitment. If your organization relies on Office 2019, consider this patch a nudge toward a newer perpetual version or Microsoft 365.
What It Means for You
For home users and small offices: The threat is straightforward. You’re most likely on a Microsoft 365 subscription that updates silently. Open Word, click File > Account > Update Options > Update Now to force the patch if auto-update hasn’t already run. Until you do, treat any unexpected file from the internet—especially those .docx, .xlsx, or .pptx attachments that sneak through spam filters—with extreme caution. Protected View may help, but Microsoft hasn’t listed it as a reliable mitigation.
For IT administrators: You’ll need to cover two fronts: update deployment and validation.
- Push the update. Use Microsoft 365 Apps admin center, Configuration Manager, Intune, or Group Policy to release the July 14 security fixes to all Office clients. For MSI-based Office 2016, deploy the full set of July 14 security updates (not just a single package—Microsoft released multiple patches for shared components, Excel, Word, and others).
- Verify the outcome. Don’t trust a deployment console that says “success.” Inventory endpoint Office versions. On Windows, check build numbers: Microsoft 365 Current Channel users might see something like 16.0.17000.20000, while Semi-Annual Enterprise will differ. On Mac, run
./Microsoft AutoUpdateor query installed versions via MDM. - Prioritize high-risk users. Accounts that routinely open external documents—customer support, HR, legal, finance—should get the update first. Even though this isn’t a wormable or actively exploited bug, the data-leak potential is highest for those who touch sensitive third-party files.
- Don’t count on workarounds. Protected View, Mark of the Web checks, and attachment scanning are valuable layers, but none are documented as stopping CVE-2026-55042 specifically. Patching is the only confirmed fix.
For Mac admins: Many organizations let AutoUpdate lag. Open Terminal and run softwareupdate --list or check the Office build via About This Mac > System Report > Applications. If you manage updates through Jamf or another MDM, ensure the package containing 16.111.26071215 is deployed. Watch for users who run Office in isolated or air-gapped environments; they’ll need manual patch application.
How We Got Here
Microsoft’s July 2026 Patch Tuesday brought a handful of Office fixes, but CVE-2026-55042 stands out not for its severity but for its breadth. Information-disclosure vulnerabilities in Office aren’t rare—they’ve popped up in Word, Excel, and Outlook components for years, often tied to memory handling flaws. This one, marked CWE-908, means the software used a resource before giving it a known value, leaving old data in place that a clever attacker could read.
The vulnerability was reported directly to Microsoft, which acted as its own CVE Numbering Authority. That means the bug is confirmed and patched, but the technical write-up is sparse to give defenders a head start over reverse-engineers. So far, CISA has noted no known exploitation or automated attack capability, and the technical impact is listed as “partial.” That classification reflects the limited direct damage—no code execution, no system compromise—but doesn’t reduce the urgency for data-handling machines.
Office’s update cadence is also key. The July 14 fixes land across five different servicing models: the rapid Microsoft 365 channels, the slower perpetual LTSC channels, and the legacy MSI stream for Office 2016. This fragmentation means a single CVE can demand multiple deployment strategies. The last time we saw a comparable Office information-disclosure fix was in June 2026 (CVE-2026-33242), which also required user interaction but affected fewer editions. History suggests that these bugs, once disclosed, attract attention. A low-complexity, high-confidentiality leak is tempting for threat actors who specialize in intelligence gathering rather than immediate ransomware.
What to Do Right Now
If you’re reading this, you likely haven’t patched yet. Here’s your checklist:
- Identify your Office edition. Open any Office app, go to
File > Account(Windows) or the application menu > About (Mac). The version number will tell you if you’re on Microsoft 365, Office 2019, LTSC, etc. - For Windows Microsoft 365 users: Click
Update Nowif the version doesn’t already match a recent July 14 build. Microsoft 365 typically auto-updates, but if you’ve deferred updates via Group Policy or set a specific channel, you might need to trigger it manually. - For Office 2016 MSI users: Check Windows Update or manually download the July 14 security updates from the Microsoft Update Catalog. You need at least version 16.0.5561.1000.
- For Office 2019, LTSC 2021, or LTSC 2024 (Click-to-Run): These editions use the same update mechanism as Microsoft 365 but on different release cadences. Force an update through the same
Update Optionsmenu. - For Mac users: Open any Office app, click
Help > Check for Updates. If AutoUpdate hasn’t run, you’ll see version 16.111.26071215 become available. Install it. For managed Macs, trigger the update via your software deployment tool. - Validate after updating: Recheck the version number. On Windows, you can also open PowerShell and run:
powershell Get-ItemProperty "HKLM:\Software\Microsoft\Office\ClickToRun\Configuration" | Select ClientVersionToReport
For MSI editions, the version is under the specific product’s registry key. - For IT pros managing fleets: Run a report across all endpoints to ensure no device is left behind. Example: in Configuration Manager, create a collection of machines where Office 2016 build < 16.0.5561.1000. For Microsoft 365, you can use the Office inventory dashboard in Microsoft 365 Apps admin center.
While you’re patching, reinforce the usual human-layer defenses: remind users not to open attachments from unknown senders, and ensure your email gateway blocks known malicious file types. But remember, these are supplements, not substitutes.
Outlook
Microsoft’s advisory for CVE-2026-55042 may evolve. The company sometimes adds application-specific details or exploitation assessments after initial publication. More importantly, once the patch is widely deployed, security researchers—and adversaries—will compare updated binaries to find the exact code change. That could lead to better detection signatures but also proof-of-concept code. By the time that happens, you want your endpoints to already have the fix.
The broader lesson is that not every Office vulnerability makes headlines like a SharePoint zero-day, but they can still put your data at risk. A 5.5 severity score doesn’t mean the issue is mild; it means the attack surface is narrower. For any organization that processes sensitive documents on unpatched Office, the risk is real. Applying July’s updates takes minutes and helps ensure that one opened file doesn’t spill secrets.