CVE-2026-58644 is a critical (CVSS 9.8) deserialization vulnerability in Microsoft Office SharePoint that lets an unauthenticated attacker execute code remotely over a network.
What Is It
CVE-2026-58644 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft Office SharePoint. According to the NVD record, the flaw allows an unauthorized attacker to execute code over a network. Microsoft (source identifier [email protected]) published the record on July 14, 2026, and it currently carries a status of "Awaiting Analysis."
Why It Matters
The vulnerability holds a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. That combination means the attack is network-reachable, low in complexity, and requires no privileges and no user interaction, while delivering high impact to confidentiality, integrity, and availability. Unauthenticated remote code execution against a widely deployed collaboration platform makes this a high-priority patching target.
What's Vulnerable
Per the affected data in the NVD record, the following x64-based Microsoft products are impacted:
- Microsoft SharePoint Enterprise Server 2016: versions 16.0.0 up to (but not including) 16.0.5556.1005
- Microsoft SharePoint Server 2019: versions 16.0.0 up to (but not including) 16.0.10417.20153
- Microsoft SharePoint Server Subscription Edition: versions 16.0.0 up to (but not including) 16.0.19725.20384
Patch Status
The NVD affected-version ranges indicate fixes are available: updating to at least 16.0.5556.1005 (Enterprise Server 2016), 16.0.10417.20153 (Server 2019), or 16.0.19725.20384 (Subscription Edition) removes exposure to the affected version range. Refer to Microsoft's MSRC update guide for the specific security update. No CISA KEV entry was supplied with this record, so active exploitation is not confirmed in the provided source material.
Sources
- Microsoft Security Response Center (MSRC) Update Guide; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644
- NVD, CVE-2026-58644 (record published by [email protected])