CVE-2026-55128 is a Microsoft Word remote code execution vulnerability caused by a use-after-free condition. Microsoft rates it High with a CVSS v3.1 base score of 7.8 and temporal score of 6.8. The vector is local attack (AV:L), low complexity, no privileges required, and user interaction is required. Microsoft says an attacker must send a malicious Office file and convince a user to open it; the Preview Pane is not an attack vector. Exploit status is not reported as active, and Microsoft says exploitation is unlikely. For enterprise environments, the local vector and required user interaction reduce exposure compared with network-reachable, no-interaction issues, but it remains relevant for phishing-driven document delivery. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Unlikely; vector context is LOCAL with LOW attack complexity, NO privileges required, and user interaction required. - Severity for enterprise: High severity by CVSS, but real-world risk is lower than network-exposed, no-interaction vulnerabilities because exploitation requires local execution and a user opening a malicious Office file. - Patch status: available; customer action required. Affected systems: - No products listed in product_tree.