Type Confusion in Microsoft Office for macOS and Microsoft Office - CVE-2026-55022

 

Type Confusion in Microsoft Office for macOS and Microsoft Office - CVE-2026-55022

Published: July 17, 2026


Vulnerability identifier: #VU138196
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-55022
CWE-ID: CWE-843
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Office for macOS
Microsoft Office

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to access of resource using incompatible type ('type confusion') in Microsoft Office when parsing a crafted Office file. A remote attacker can send a specially crafted Office file and convince the victim to open it to execute arbitrary code.

The Preview Pane can be used as an attack vector, and user interaction is required.


How to mitigate CVE-2026-55022

Install security update from vendor's website.

Sources