Microsoft’s July 2026 Patch Tuesday includes a fix for a memory corruption bug in PowerPoint that attackers can exploit just by convincing you to open a specially crafted presentation. The vulnerability, tracked as CVE-2026-55123, carries a CVSS score of 7.8 and affects a wide range of Office versions, from Microsoft 365 Apps to the still-supported MSI-based PowerPoint 2016.

The update corrects a heap-based buffer overflow that leads to code execution with the privileges of the logged-in user. If you’re an administrator, the impact is critical; if you’re a standard user, the attacker still gets a foothold on your machine. The patch arrives on July 14, 2026, alongside fixes for two other PowerPoint heap overflow vulnerabilities.

A Closer Look at the Vulnerability

CVE-2026-55123 is not a network-exploitable flaw. You can’t scan for vulnerable PowerPoint instances across the internet and fire off an exploit. Instead, the attacker must deliver a malicious file—usually via email, cloud storage, or a compromised download—and you must open it.

The attack sequence is grimly simple:

  1. A remote attacker crafts a PowerPoint file with corrupted data that triggers a heap overflow when loaded.
  2. The file reaches your inbox, Teams channel, or a shared folder.
  3. You double-click it.
  4. PowerPoint processes the malicious content, memory corruption occurs, and attacker-supplied code runs on your PC.
  5. The payload can steal documents, harvest credentials, install malware, or move laterally through your network.

Microsoft makes clear that the Preview Pane is not an attack vector. Simply selecting the file in File Explorer or seeing it in an attachment preview won’t trigger the bug. You have to open it. That small detail changes the urgency for defenders: patching remains the primary fix, but telling users not to open unexpected presentations is a viable interim mitigation.

Who’s Affected and What the Update Delivers

The vulnerability hits the following Office products:

  • Microsoft 365 Apps for Enterprise (all update channels)
  • Office 2019 (volume-licensed, MSI-based)
  • Office LTSC 2021
  • Office LTSC 2024
  • PowerPoint 2016 (MSI-based)
  • Office 2016 for Mac
  • Office 2019 for Mac
  • Office LTSC for Mac 2021
  • Office LTSC for Mac 2024

Both 32-bit and 64-bit Windows editions are affected where applicable. Mac users aren’t off the hook either.

For classic MSI-based PowerPoint 2016 installations, the fix arrives as KB5002867, which bumps the build to 16.0.5561.1000. If you upgraded from Office 2016 MSI to a Click-to-Run version of Microsoft 365 Apps, this KB won’t apply—your updates come through your configured servicing channel (Current Channel, Monthly Enterprise, etc.).

The July update also addresses two other PowerPoint heap overflow vulnerabilities: CVE-2026-55043 and CVE-2026-55120. All three share the same fundamental risk: a local code-execution path that needs a poisoned file and a hapless click. Apply the latest Office updates and you’re covered for all three.

A Misleading Label: Why “Remote Code Execution” Causes Confusion

If you read Microsoft’s advisory, you’ll notice the CVE title calls this a “Remote Code Execution” vulnerability. Yet the CVSS vector clearly states the attack vector is Local (AV:L). The apparent mismatch confuses many security teams.

The explanation, straight from Microsoft’s Security Update Guide, is that “remote” refers to the attacker’s location, not the technical attack path. An attacker can be in a different country and deliver the malicious document over email—that makes the threat “remote.” But the vulnerable code runs inside PowerPoint on your local machine only after you open the file. CVSS therefore correctly records the attack vector as local.

For day-to-day defense, this nuance matters less than you might think. Whether you call it RCE, ACE (Arbitrary Code Execution), or a local heap overflow, the practical threat is the same: a phishing email with a booby-trapped .pptx can compromise your endpoint. Blocking inbound network connections to port 443 on your laptop won’t save you because the attack comes through a file, not a socket.

How We Got Here

CVE-2026-55123 is part of a long tradition of Office memory corruption bugs. Heap overflows in older parsing code aren’t rare; Microsoft’s July 2026 cycle alone patched three in PowerPoint. Tenable’s advisory for the month groups them together, and Qualys likewise flags them in its Patch Tuesday roundup.

The vulnerability was not publicly disclosed before Patch Tuesday, and Microsoft found no evidence of active exploitation at the time of release. That doesn’t mean you can wait. Document-based attacks are a favorite of ransomware groups and state-sponsored actors because they bypass many network-perimeter defenses. Once a patch is released, reverse engineering the fix becomes trivial, and exploit writers get to work. The window between “not exploited” and “exploit in the wild” can be terrifyingly short.

What You Should Do Right Now

For Home Users

  • Check for Office updates. In any Office app, go to File > Account > Update Options > Update Now.
  • If you’re running a Click-to-Run version of Microsoft 365 (which most consumer subscriptions use), this forces the latest build.
  • Enable automatic updates if you haven’t already.
  • Remind yourself and your family: don’t open PowerPoint files from strangers. Even a file that appears to come from a colleague could be a spoof.

For IT Administrators

  • Identify all Office deployments in your environment. Determine which are Click-to-Run (Microsoft 365 Apps, Office 2019 Retail) and which are MSI-based (Office 2016 volume license, Office LTSC).
  • For MSI-based PowerPoint 2016, deploy KB5002867. Verify installation by checking the build number in winword.exe or powerpnt.exe properties; it should be at least 16.0.5561.1000.
  • For Click-to-Run installations, enforce update deadlines via Group Policy, Intune, or your management tool. The July 2026 security updates are available in all channels.
  • Consider attack surface reduction rules that block Office applications from creating child processes or injecting code. While these won’t directly stop the heap overflow, they can disrupt common post-exploitation behavior.
  • Remind users through your security awareness program that unexpected presentations are a red flag.

For Developers and ISVs

  • If your application handles or renders PowerPoint files, check whether you use a vulnerable version of the Office runtime. The same parsing libraries could be exposed in custom applications.
  • Test compatibility with the patched build to ensure your automation scripts or plugins still function.

Can I Just Not Update?

Skipping this patch is risky. Even though an attacker needs you to open a file, that’s the easiest hurdle to clear in social engineering. Email filters aren’t perfect; a well-crafted phish with a password-protected zip slipping past a secure email gateway is a weekly occurrence in many organizations.

Blocking VBA macros won’t help because this is a memory corruption flaw, not a macro-based attack. Sandboxing file previews also provides no benefit since the Preview Pane isn’t a vector.

Temporary mitigations include:

  • Using a Group Policy to disable PowerPoint or block .pptx files from running entirely—though that’s likely too disruptive.
  • Opening suspicious files in a virtual machine or isolated environment.
  • Converting incoming presentations to PDFs before viewing, though this is manual and scales poorly.

The durable fix is the security update. Apply it.

Outlook

At the time of writing, no public exploits exist for CVE-2026-55123, but that can change within hours of this article’s publication. Keep an eye on Microsoft’s Security Update Guide for any revision to the “Exploited” flag. If you manage a fleet of machines, flag this CVE in your SIEM and hunt for any signs that a user opened an unknown .pptx file around the time of a suspicious process launch.

Microsoft’s next Patch Tuesday will likely bring fixes for more document-based vulnerabilities. The rinse-and-repeat nature of these flaws underscores why Office updates should be as routine as your morning coffee. Today, it’s a PowerPoint heap overflow. Tomorrow, it could be an Excel one. Apply the patch, update your detection logic, and remind users that double-clicking on a file from the internet is still the digital equivalent of eating unwashed fruit.