{
"title": "Patch Now: Microsoft Office Vulnerability CVE-2026-55018 Lets Attackers Run Code via Malicious Files",
"content": "Microsoft on July 14, 2026, released security updates that patch a critical remote code execution vulnerability in Microsoft Office, a flaw that can be exploited by simply getting a user to open a rigged document. Tracked as CVE-2026-55018, the bug affects virtually every supported version of Office on Windows and macOS, from Office 2016 to current Microsoft 365 Apps. No active attacks have been spotted yet, but the clock is ticking: now that the fix is public, attackers have everything they need to build and deploy an exploit.
What got patched: A use-after-free memory bug in Office
The vulnerability stems from a use-after-free error in Microsoft Office, a type of memory corruption where the software tries to use memory that has already been released. Microsoft’s Security Update Guide classifies the issue as CWE-416, and the company gave CVE-2026-55018 a CVSS 3.1 score of 7.8 (High). Despite the “High” number, Microsoft itself rates the severity as Critical, reflecting the broad impact a successful attack could have. An attacker who exploited this flaw could run arbitrary code with the same permissions as the logged-in user, potentially accessing or modifying all files available to that account, installing malware, or disrupting system operations.
The attack requires user interaction: the victim must open a specially crafted Office file. This means it’s not a wormable, network-spreading threat, but rather a classic client-side vulnerability that arrives via email, a shared link, or a download. Once the document is opened, the exploit can trigger the use-after-free condition, giving the attacker control. According to Microsoft’s advisory, the attack has low complexity, requires no special privileges, and can be launched locally—meaning the attacker only needs to get the file onto the target’s machine.
Affected products span the entire Office lineup for both Windows and macOS. The table below summarizes which versions need patching and the fixed builds or packages that resolve CVE-2026-55018.
| Product | How to get the fix | Fixed version or build |
|---|---|---|
| Microsoft 365 Apps for enterprise (click-to-run) | Click-to-Run servicing provides the July 2026 security update automatically; users can also check for updates manually. | Build varies by channel; ensure you’re on the latest release. |
| Microsoft Office 2016 (MSI-based, 32-bit or 64-bit) | Install KB5002887 via Windows Update, Microsoft Update Catalog, or Download Center. | 16.0.5561.1000 or later |
| Microsoft Office 2019 (MSI or click-to-run) | Run Windows Update or use the MSI packages for 2019; ensure the July 2026 security release is applied. | Latest security build for Office 2019 |
| Microsoft Office LTSC 2021 and 2024 (click-to-run, both 32-bit and 64-bit) | Click-to-Run servicing; update to the July 2026 security release. | Latest security build for LTSC 2021/2024 |
| Microsoft 365 / Office 365 for Mac | Use Microsoft AutoUpdate to install the July 2026 patches. | 16.111.26071215 or later |
| Office LTSC for Mac 2021 and LTSC for Mac 2024 | Use Microsoft AutoUpdate. | 16.111.26071215 or later |
Why you should care: Low barrier to attack, high impact on your data
Even though the flaw requires user interaction, phishing campaigns that trick people into opening documents remain one of the most common attack vectors. A single click on a malicious attachment could lead to a full compromise of the user’s Office environment and any network resources accessible to that account.
For home users, this could mean ransomware encrypting personal documents, thieves stealing sensitive photos or financial records, or attackers using the computer as a beachhead for further crimes. Even if you don’t run as an administrator, a standard user account still has access to your email, OneDrive files, and saved browser passwords—plenty of leverage for an attacker.
For businesses, the danger is magnified. Departments that routinely handle external files—finance, HR, legal, and sales—are prime targets. A successful exploit on an employee’s computer could expose confidential company data, allow the attacker to move laterally across the network, or deploy ransomware. Because the vulnerability exists in Office itself, it can be triggered before many of the document-protection features in newer versions of Office fully engage. Microsoft’s Protected View can block active content in files from the internet, but it is not a guaranteed shield. Sophisticated attackers may find ways to bypass these defenses, so relying on them as a substitute for patching is a gamble you don’t want to take.
The CVSS vector shows that the attack has high impact on confidentiality, integrity, and availability. In plain language, an attacker who gets in can read your files, change them, or make your system unusable. The only good news is that so far, no one is known to have used this exploit in the wild. According to CISA’s assessment on the day of release, there is no evidence of exploitation. But that status can change overnight.
How we got here: A familiar race against reverse engineers
Memory corruption bugs like use-after-free are a perennial challenge in complex software like Office. They often arise from subtle programming errors that are hard to catch during development. When Microsoft fixes one, the patch effectively draws a target on the flaw.
Security researchers and malicious actors alike use a technique called patch diffing: comparing the before-and-after code of patched binaries to identify exactly which bytes changed. From there, they can deduce the nature of the vulnerability and craft an exploit. This means that once the July 2026 updates go out, the race begins. Affected machines that are not promptly patched become increasingly attractive to attackers.
Microsoft’s “Confirmed” rating for this bug adds to the urgency. Unlike some vulnerabilities that are based on unverified reports or theoretical research, CVE-2026-55018 was discovered and validated by Microsoft itself. The company is the CVE Numbering Authority, meaning it confirmed the existence, the cause, and the affected configurations. There’s no ambiguity, and no chance that the advisory will be downgraded. Attackers know this is a real, exploitable weakness.
This patch arrived as part of a large July 2026 Patch Tuesday. BleepingComputer reported that Microsoft addressed 570 vulnerabilities in total across its products. Trend Micro’s Zero Day Initiative noted an unusually high number of critical Office code-execution bugs in this release. That volume creates a patch-prioritization headache for IT teams, but Office document vulnerabilities remain a reliable and popular attack path, so CVE-2026-55018 should be high on every to-do list.
What to do now: Patch, verify, and reinforce
For individuals with a personal PC or Mac
If you use Microsoft 365 or a one-time purchase of Office on Windows, the quickest way to get the fix is to open any Office application (like Word or Excel), go to File > Account > Update Options > Update Now. This forces an immediate check for and installation of the latest security updates. After the update, verify the version: in the same Account screen, you’ll see a version number. For Office 2016 MSI, check that Windows Update has installed KB5002887; you can view your update history in Settings > Windows Update > Update history. The Office version should be 16.0.5561.1000 or higher.
On a Mac, open any Office app, click Help > Check for Updates to launch Microsoft AutoUpdate. Install all updates