CVE-2026-55948: Update Excel to Stop Malicious Workbook RCE

CVE-2026-55948 is a high-severity Microsoft Excel vulnerability that can let an attacker run arbitrary code after a user opens a malicious workbook. Microsoft published the flaw on July 14, 2026, with a CVSS 3.1 score of 7.8 and the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
The apparent contradiction between “Remote Code Execution” in Microsoft’s title and AV:L, or Local Attack Vector, is a matter of terminology rather than conflicting technical assessments. As Microsoft explains in its Security Update Guide, remote describes the attacker’s position, while CVSS Attack Vector describes how exploitation reaches the vulnerable Excel component.
In practical terms, the attacker may send the workbook remotely through email, Microsoft Teams, a website, cloud storage, or another delivery channel. The vulnerability is triggered locally when Excel processes that file on the victim’s computer.

Cyberattack diagram showing a malicious Excel file exploiting a memory use-after-free vulnerability.Remote Delivery Does Not Make the Parser Network-Facing​

CVE-2026-55948 is a use-after-free vulnerability, classified as CWE-416. Microsoft’s CVE description says the memory-safety error in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
That wording reflects the CVSS model. Excel’s vulnerable file-processing component is not exposed as a network service that an attacker can directly address with specially crafted packets. Instead, the malicious content must reach Excel and be processed on the target machine.
The distinction becomes clearer by comparing two hypothetical attacks. A flaw in a server listening on a TCP port may receive attacker-controlled data directly across the internet, qualifying for AV:N. A malicious Excel workbook can also arrive across the internet, but the final exploitation step occurs inside the locally running Excel process after the user opens or otherwise processes the document.
The official CVSS 3.1 specification maintained by FIRST explicitly allows this interpretation. A vulnerability is scored AV:L when exploitation depends on local read, write, or execution capabilities, including cases where an attacker uses social engineering to persuade another person to open a malicious document.
FIRST’s CVSS examples go further: a document-parsing vulnerability that does not inherently require a network is generally scored Local regardless of whether the malicious document was distributed through a website, email, or removable drive. The delivery mechanism and the vulnerable component’s attack surface are related, but they are not the same metric.
That makes local execution the technical trigger, not necessarily the attacker’s physical location. The attacker does not have to sit at the keyboard or already hold an interactive account on the Windows PC.

Why Microsoft Still Calls It Remote Code Execution​

Microsoft commonly uses “Remote Code Execution” as an impact category for vulnerabilities that allow an external attacker to cause attacker-chosen code to run on another person’s machine. In document-based attacks, the adversary prepares and delivers the malicious file remotely, while the victim supplies the required local action.
Microsoft acknowledges that this class of issue is also described as Arbitrary Code Execution, or ACE. That term avoids implying that Excel itself can be attacked directly over the network, but Microsoft’s established security taxonomy continues to place many malicious-document flaws under the broader RCE heading.
The complete CVSS vector explains the attack more precisely than the title:
  • AV:L means exploitation takes place through a local processing path rather than a network-facing protocol.
  • AC:L means Microsoft does not identify unusual conditions or a complex race that must be satisfied.
  • PR:N means the attacker does not need an existing account or privileges on the target system.
  • UI:R means successful exploitation requires action by a user.
  • S:U means the security scope remains unchanged.
  • C:H/I:H/A:H means successful exploitation could have a high impact on confidentiality, integrity, and availability.
The UI:R value is especially important. CVE-2026-55948 is not described as a no-click compromise of any internet-connected Excel installation. A victim must interact with attacker-controlled content, most plausibly by opening a crafted workbook.
Once triggered, however, the result is code execution in the victim’s security context. If the user has access to sensitive files, mapped network drives, SharePoint libraries, OneDrive folders, or business applications, malicious code running under that identity may inherit much of the same access.
The lack of required attacker privileges should not be confused with the privileges obtained after exploitation. PR:N describes what the attacker needs before launching the attack, not whether the resulting code automatically receives administrator rights. Standard-user deployments can therefore reduce the blast radius, although they do not prevent compromise of the user’s data and accessible resources.

Excel 2016, Microsoft 365, LTSC, Mac, and Office Online Are Affected​

Microsoft’s published product data covers a broad range of supported Office deployments. Affected products include Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office 365 for Mac, Office LTSC for Mac 2021 and 2024, and Office Online Server.
For installations with explicit version thresholds, the CVE record identifies these corrected levels:
  • Microsoft Excel 2016 installations should be updated to version 16.0.5561.1001 or later.
  • Microsoft Office for Mac installations should reach version 16.111.26071215 or later.
  • Office Online Server should reach version 16.0.10417.20175 or later.
Microsoft 365 Apps and several perpetual Office editions use servicing-channel-specific releases rather than one universal fixed build in the CVE record. Administrators should use Microsoft’s Office security release information and their normal Microsoft 365 Apps update controls to verify that the July 14, 2026 security release has reached each channel.
Office Online Server deserves separate attention because it is centrally administered and may not follow the same update workflow as desktop Office. Organizations operating it should verify the installed build rather than assuming that Windows Update or Microsoft 365 Apps servicing covered the server.
The National Vulnerability Database listed CVE-2026-55948 as awaiting NVD enrichment on July 14. Its published score and vector came from Microsoft, the assigning CVE Numbering Authority. CISA’s initial SSVC data recorded no known exploitation at publication time, but that is a point-in-time observation rather than evidence that malicious workbooks will remain theoretical.

The Defensive Priority Is File Handling and Patch Coverage​

For endpoint teams, the immediate response is to deploy the applicable Office updates and confirm build compliance. Microsoft 365 Apps can update independently of the Windows operating system, so a fully patched Windows 11 PC is not necessarily running a patched Excel build.
Administrators should also review devices that sit outside normal Click-to-Run servicing, including disconnected systems, virtual desktop images, long-lived pooled desktops, and PCs assigned to deferred Microsoft 365 update channels. Office 2016 and Office 2019 installations may require different deployment packages from current Microsoft 365 Apps environments.
Email filtering, Protected View, Microsoft Defender attack-surface reduction rules, and controls that block files originating from untrusted locations can add friction to malicious-document campaigns. Those measures are layers rather than substitutes for the security update; a workbook may arrive through a trusted account, shared cloud folder, compromised collaboration channel, or removable media.
The title therefore does not override the CVSS vector. CVE-2026-55948 is remote in attacker outcome and delivery, but local in its exploitation path: someone elsewhere can send the weaponized workbook, yet Excel must process it on the target device before code execution occurs.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
  4. Official source: microsoft.com
 

Back
Top