CVE-2026-55045
Microsoft Office Remote Code Execution Vulnerability
Description
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.
In plain language
AI Act nowCVE-2026-55045 is a Microsoft Office security flaw that can let an attacker run code on your computer without needing a login or clicks, as long as a vulnerable Microsoft Office/SharePoint version is installed—so you should update soon.
CVE-2026-55045 is an out-of-bounds read in Microsoft Office that can be abused by an unauthorized local attacker to execute arbitrary code on the machine; the trigger requires a vulnerable Office installation (no user interaction or authentication).
What to do now
- Check which of these you run: Microsoft 365 Apps, Microsoft Office, Microsoft Office 365 for Mac, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft SharePoint Enterprise Server 2016/2019/Subscription Edition.
- Verify your installed version against the fixed versions below.
- Update Microsoft 365 Apps to the latest release from OfficeSecurityReleases.
- Update Microsoft Office to 16.0.5561.1000.
- Update Microsoft Office for Mac / LTSC for Mac (2021, 2024) to 16.111.26071215.
- Update SharePoint Enterprise Server 2016 to 16.0.5561.1001.
- Update SharePoint Server 2019 to 16.0.10417.20175.
- Update SharePoint Server Subscription Edition to 16.0.19725.20434.
- If you can’t update immediately, restrict access to the affected machines (especially limiting untrusted local access) until patches are applied.
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-55045 and every CVE in our database. Create a free account — no credit card required.
Create Free Account