CVE-2026-55136: Patch Excel RCE With July 14 Office Updates

CVE-2026-55136 is a high-severity Microsoft Excel remote code execution vulnerability fixed in Microsoft’s July 14, 2026 security updates, affecting Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC, Office for Mac, and Office Online Server. Organizations should deploy the relevant Office updates promptly, particularly on systems where users routinely open spreadsheets received through email, collaboration platforms, or external file shares.
Detailed in Microsoft’s Security Update Guide, the vulnerability carries a CVSS 3.1 score of 7.8 and an Important severity rating. Microsoft describes the underlying weakness as an untrusted pointer dereference in Excel that can allow an unauthorized attacker to execute code locally.
The distinction between “remote code execution” in the advisory title and the local CVSS attack vector matters. This is not a network service vulnerability that an attacker can trigger simply by connecting to a Windows PC. Exploitation requires user interaction, most plausibly involving a targeted user opening or otherwise processing a malicious spreadsheet.

Cybersecurity warning icons surround a compromised spreadsheet and connected devices in a server room.A Malicious Workbook Is the Likely Delivery Vehicle​

Microsoft’s CVSS vector records low attack complexity, no privileges required, and required user interaction. In practical terms, an attacker does not need an existing account on the target machine, but must persuade someone—or an application acting on that person’s behalf—to handle attacker-controlled Excel content.
The flaw is categorized as CWE-822, Untrusted Pointer Dereference. This class of memory-safety defect occurs when software relies on a pointer value that cannot be trusted, potentially causing Excel to access an unintended memory location. In a successful exploit, that memory error could be manipulated to run attacker-supplied code rather than merely crashing the application.
Microsoft has not published proof-of-concept code or the detailed workbook structure needed to trigger CVE-2026-55136. That limits immediate technical certainty for defenders, but it also withholds useful information from would-be attackers while patch deployment begins.
CISA’s initial assessment recorded no known exploitation and classified the issue as not readily automatable, while recognizing that successful exploitation could have a total technical impact on the affected system. The Zero Day Initiative’s July update review likewise listed the vulnerability as neither publicly disclosed nor under active attack at release time.
That means CVE-2026-55136 was not a known zero-day when Microsoft issued the fix on July 14. It should still receive serious attention: Office document vulnerabilities are attractive for phishing and targeted intrusion campaigns because spreadsheets are routinely exchanged with customers, suppliers, accountants, and internal business units.

The Affected Office Footprint Is Broad​

The CVE record identifies both 32-bit and 64-bit Windows installations where applicable. Microsoft lists the following product families as affected:
  • Microsoft 365 Apps for Enterprise is affected on 32-bit and x64-based systems.
  • Microsoft Excel 2016 is affected on 32-bit and x64-based systems.
  • Microsoft Office 2019 is affected on 32-bit and x64-based systems.
  • Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
  • Microsoft 365 and Office LTSC editions for Mac are affected.
  • Office Online Server is affected.
For Excel 2016, Microsoft released KB5002886 as part of the July 2026 Office security update set. Microsoft’s published version data indicates that Excel 2016 builds earlier than 16.0.5561.1001 are affected.
Office Online Server administrators need KB5002884, with the fixed product version identified as 16.0.10417.20175. This deployment deserves separate attention because Office Online Server is centrally managed and may process documents for many users rather than exposing the vulnerable code on only one workstation.
On macOS, the fixed release is version 16.111.26071215 for Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024. Mac administrators should verify the installed application build rather than assuming that Microsoft AutoUpdate has already completed across every device.
Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Office LTSC 2024 receive fixes through their applicable Office servicing channels and release builds. Administrators should check the channel actually assigned to each device because Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel installations do not necessarily converge on the same version at the same time.
The breadth of this list also makes inventory important. An organization may have Microsoft 365 Apps on employee laptops, perpetual Office LTSC installations on production systems, and older Excel 2016 deployments attached to specialist software. A successful rollout to the main Microsoft 365 fleet does not prove that those less-visible installations are protected.

“User Interaction Required” Is Not a Safety Control​

The required user action reduces exploitability compared with a remotely reachable service flaw, but it is not a dependable mitigation. Spreadsheet attachments remain normal in finance, procurement, logistics, sales, and human-resources workflows, and an attacker can construct a message that fits those expectations.
Protected View, Mark of the Web handling, email filtering, attachment sandboxing, and endpoint detection can add barriers around suspicious Office documents. Those controls may reduce exposure, but Microsoft’s published remedy is the security update; the advisory does not identify a configuration workaround that provides equivalent protection.
Running users without local administrator rights can limit some post-exploitation consequences, although code execution would still occur in the user’s security context. An attacker could potentially access files available to that account, interact with mapped resources, steal credentials accessible within the session, or establish a foothold for further activity.
Security teams should therefore avoid treating CVE-2026-55136 as a macro problem. The documented root cause is a pointer-handling defect in Excel, not malicious VBA. Disabling macros may be sensible as a broader Office security policy, but it does not constitute a documented fix for this vulnerability.
Defenders also should not rely exclusively on file extensions. Excel-related content can arrive through email attachments, Microsoft Teams, SharePoint libraries, OneDrive synchronization, browser downloads, archives, and line-of-business portals. Controls should follow the document’s origin and trust status rather than assuming that an apparently familiar filename is harmless.

Patch Verification Matters More Than the Headline Score​

For managed Windows environments, the first task is to identify the installed Office edition, architecture, servicing channel, and build. Microsoft Configuration Manager, Intune, endpoint-management inventories, vulnerability scanners, and Office cloud-management reporting can all help reveal devices that remain below the corrected release.
Excel 2016 installations should show KB5002886 as installed and should be checked for the corrected 16.0.5561.1001 build or later. Office Online Server farms require the corresponding KB5002884 update and the normal farm-wide maintenance and verification process; updating only one server can leave inconsistent binaries across the deployment.
Microsoft 365 Apps administrators should monitor update compliance rather than merely issuing an update command. Devices that are rarely online, stuck on an old channel, excluded by update policies, or unable to retrieve Office content can remain vulnerable long after the central deployment reports initial success.
Organizations that cannot patch immediately should tighten handling of externally sourced spreadsheets, use attachment detonation where available, and prevent untrusted documents from bypassing Protected View. Help desks and security operations centers should also watch for reports of Excel crashing after a newly received workbook is opened, although a crash alone does not establish exploitation.
CVE-2026-55136 had no known exploitation when disclosed, but its combination of low attack complexity, no privilege requirement, and potential code execution makes delayed remediation difficult to justify. The concrete milestone is straightforward: move every affected Windows and Mac Office installation—and every Office Online Server farm—to Microsoft’s July 14, 2026 fixed builds, then verify that the update actually reached the machines where spreadsheets are opened.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top