CVE-2026-55132
Microsoft Word Remote Code Execution Vulnerability
Description
Double free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
In plain language
AI Act nowCVE-2026-55132 is a Microsoft Word bug that can let an attacker run code on your computer if you open a specially made Word document. If you use Microsoft Word or Microsoft 365 apps (and related SharePoint/Office server products) you should update, because it doesn’t require a login—just getting the document opened.
CVE-2026-55132 is a local Microsoft Word double-free flaw (CWE-415) that can be triggered when a user opens a specially crafted document, leading to arbitrary code execution under the current user’s privileges; Microsoft Office and SharePoint server components are also listed as impacted and have fixed versions available.
What to do now
- Check whether your business uses the affected Microsoft products (Microsoft 365 apps / Microsoft Office / Microsoft Word 2016 / Microsoft Office 365 for Mac / Microsoft Office LTSC for Mac 2021 and 2024 / Microsoft SharePoint Enterprise Server 2016, 2019, and Subscription Edition).
- For Windows Microsoft 365 apps and Microsoft Office, update to the latest security release listed on https://aka.ms/OfficeSecurityReleases.
- For macOS Microsoft Office 365 for Mac and the LTSC for Mac 2021/2024, update to at least 16.111.26071215.
- For SharePoint Server on-prem, update to at least the fixed builds: 16.0.5561.1001 (2016), 16.0.10417.20175 (2019), and 16.0.19725.20434 (Subscription Edition).
- Until you’re fully updated, block or carefully filter incoming Word attachments and treat unexpected documents as suspicious, then report and remove any file that caused alerts.
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-55132 and every CVE in our database. Create a free account — no credit card required.
Create Free Account