Microsoft has patched CVE-2026-55044, a high-severity Microsoft Excel remote code execution vulnerability that can let a malicious workbook run code under the victim’s account. The flaw carries a CVSS 3.1 score of 7.8 and affects Microsoft 365 Apps for enterprise, Excel 2016, Office 2019, Office LTSC 2021 and 2024, supported Office editions for Mac, and Office Online Server.
Detailed in Microsoft’s July 14, 2026 security release, the vulnerability stems from an out-of-bounds read in Excel. Microsoft classifies the issue as Important rather than Critical because exploitation requires user interaction: the victim must open a specially crafted file in an affected version of Excel.
Microsoft says CVE-2026-55044 was not publicly disclosed and was not known to be exploited when the update shipped. Its exploitability assessment is “Exploitation Less Likely,” but administrators should not treat that rating as a reason to defer Office patching.
The vulnerability’s title can create the impression that an attacker can directly reach an Excel installation over the network. The CVSS vector tells a more precise story: CVE-2026-55044 is scored as a local attack vector with low attack complexity, no privileges required, and user interaction required.
In practical terms, an attacker would need to persuade the target to open malicious Excel content. That workbook could arrive through email, a collaboration platform, cloud storage, a download page, or another file-delivery route. Once opened in a vulnerable Excel installation, it could trigger the memory-handling error and execute attacker-controlled code.
The resulting code runs in the context of the current user. A successful attack against a standard account would inherit that account’s restricted permissions, while exploitation under an administrator account could provide substantially wider access to the system, its files, and installed applications.
This distinction is why least-privilege operation remains relevant even after endpoint protections and attachment filtering are considered. It does not prevent exploitation, but it can constrain what the attacker can do after Excel has been compromised.
The CVSS vector assigns high potential impact to confidentiality, integrity, and availability. That reflects the possible consequences of arbitrary code execution: accessing data, modifying files, installing additional payloads, or disrupting the workstation.
Confirmation should not be confused with evidence of exploitation. As of July 15, Microsoft’s Security Update Guide, the National Vulnerability Database, and the Zero Day Initiative’s July update review did not identify CVE-2026-55044 as publicly disclosed or exploited in the wild.
The National Vulnerability Database was still awaiting its own enrichment analysis after receiving the record from Microsoft on July 14. Its entry nevertheless reproduces Microsoft’s 7.8 score, vulnerability description, affected-product data, and CWE classification.
Microsoft’s temporal vector also indicates an unproven exploit maturity and an official fix. That provides some breathing room for staged enterprise deployment, but not an indefinite window. File-format vulnerabilities are particularly useful for phishing operations because spreadsheets are routine business documents and may pass through several trusted people before reaching the eventual target.
CVE-2026-55044 was also only one of numerous Excel vulnerabilities addressed in Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft flaws fixed during the month, including 145 remote code execution vulnerabilities across the company’s products. The volume increases the risk that Office fixes will become buried inside a broader Windows patch cycle.
Office Online Server receives its July fixes through KB5002884. That server component deserves separate inventory attention because it may not follow the same update workflow as Microsoft 365 Apps installed on managed Windows endpoints.
Click-to-Run Microsoft 365 and Office LTSC deployments should be checked against Microsoft’s current Office security release table rather than relying exclusively on a Windows build number. Administrators using update channels or deployment deferrals should verify that devices have actually moved onto a patched Office build.
Mac administrators should confirm that Excel reports version 16.111.26071215 or later. Merely checking that Microsoft AutoUpdate is enabled is not equivalent to confirming successful installation, especially on laptops that are frequently offline or where users postpone application restarts.
Office 2019 presents an additional lifecycle concern. Mainstream Microsoft support for Office 2019 ended in October 2025, yet the CVE record still lists the product as affected. Organizations that retain Office 2019 should establish whether their servicing path supplies the July security correction or whether those installations now represent unsupported exposure requiring replacement.
Administrators can reduce immediate risk while updates are being deployed by reinforcing controls around internet-originated Office documents. Protected View, Microsoft Defender SmartScreen, attachment scanning, Attack Surface Reduction rules, and restrictions on files from untrusted locations add useful layers, although none should be substituted for the vendor patch.
Mail and collaboration telemetry can also help identify suspicious workbook delivery. Defenders should watch for Excel spawning command interpreters, scripting engines, download utilities, or unfamiliar child processes, particularly after a document was retrieved from email or cloud storage.
The absence of detected exploitation on July 14 is the favorable part of Microsoft’s assessment. The less favorable part is that CVE-2026-55044 requires no prior attacker privileges and has low attack complexity once a victim opens the crafted file. Enterprises should use that window to deploy KB5002886, update Click-to-Run and Mac installations, and bring Office Online Server to version 16.0.10417.20175 before a malicious workbook turns an ordinary spreadsheet workflow into an initial-access route.
Detailed in Microsoft’s July 14, 2026 security release, the vulnerability stems from an out-of-bounds read in Excel. Microsoft classifies the issue as Important rather than Critical because exploitation requires user interaction: the victim must open a specially crafted file in an affected version of Excel.
Microsoft says CVE-2026-55044 was not publicly disclosed and was not known to be exploited when the update shipped. Its exploitability assessment is “Exploitation Less Likely,” but administrators should not treat that rating as a reason to defer Office patching.
“Remote” Code Execution Still Starts With a Workbook
The vulnerability’s title can create the impression that an attacker can directly reach an Excel installation over the network. The CVSS vector tells a more precise story: CVE-2026-55044 is scored as a local attack vector with low attack complexity, no privileges required, and user interaction required.In practical terms, an attacker would need to persuade the target to open malicious Excel content. That workbook could arrive through email, a collaboration platform, cloud storage, a download page, or another file-delivery route. Once opened in a vulnerable Excel installation, it could trigger the memory-handling error and execute attacker-controlled code.
The resulting code runs in the context of the current user. A successful attack against a standard account would inherit that account’s restricted permissions, while exploitation under an administrator account could provide substantially wider access to the system, its files, and installed applications.
This distinction is why least-privilege operation remains relevant even after endpoint protections and attachment filtering are considered. It does not prevent exploitation, but it can constrain what the attacker can do after Excel has been compromised.
The CVSS vector assigns high potential impact to confidentiality, integrity, and availability. That reflects the possible consequences of arbitrary code execution: accessing data, modifying files, installing additional payloads, or disrupting the workstation.
Microsoft’s Record Confirms the Flaw, Not Active Attacks
The vulnerability information supplied by Microsoft carries a “confirmed” level of technical confidence. That designation means the flaw has been acknowledged by the affected vendor and is supported by enough technical information to identify its underlying weakness as CWE-125, an out-of-bounds read.Confirmation should not be confused with evidence of exploitation. As of July 15, Microsoft’s Security Update Guide, the National Vulnerability Database, and the Zero Day Initiative’s July update review did not identify CVE-2026-55044 as publicly disclosed or exploited in the wild.
The National Vulnerability Database was still awaiting its own enrichment analysis after receiving the record from Microsoft on July 14. Its entry nevertheless reproduces Microsoft’s 7.8 score, vulnerability description, affected-product data, and CWE classification.
Microsoft’s temporal vector also indicates an unproven exploit maturity and an official fix. That provides some breathing room for staged enterprise deployment, but not an indefinite window. File-format vulnerabilities are particularly useful for phishing operations because spreadsheets are routine business documents and may pass through several trusted people before reaching the eventual target.
CVE-2026-55044 was also only one of numerous Excel vulnerabilities addressed in Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft flaws fixed during the month, including 145 remote code execution vulnerabilities across the company’s products. The volume increases the risk that Office fixes will become buried inside a broader Windows patch cycle.
The Patch Reaches Desktop, Mac, and Server Installations
Microsoft identifies the following product families as affected:- Microsoft 365 Apps for enterprise is affected on both 32-bit and 64-bit Windows installations that have not received the applicable Office security release.
- Microsoft Excel 2016 is affected before version 16.0.5561.1001 on both 32-bit and 64-bit systems.
- Microsoft Office 2019 is included in Microsoft’s affected-product record.
- Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on 32-bit and 64-bit Windows systems.
- Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 are affected before version 16.111.26071215.
- Office Online Server is affected before version 16.0.10417.20175.
Office Online Server receives its July fixes through KB5002884. That server component deserves separate inventory attention because it may not follow the same update workflow as Microsoft 365 Apps installed on managed Windows endpoints.
Click-to-Run Microsoft 365 and Office LTSC deployments should be checked against Microsoft’s current Office security release table rather than relying exclusively on a Windows build number. Administrators using update channels or deployment deferrals should verify that devices have actually moved onto a patched Office build.
Mac administrators should confirm that Excel reports version 16.111.26071215 or later. Merely checking that Microsoft AutoUpdate is enabled is not equivalent to confirming successful installation, especially on laptops that are frequently offline or where users postpone application restarts.
Inventory Matters More Than the Excel Shortcut
Security teams should not limit their search to users who appear to work with spreadsheets every day. Excel components may be installed as part of a larger Office suite even when another application is the user’s primary tool, and old MSI installations can remain on systems after newer Microsoft 365 software has been introduced.Office 2019 presents an additional lifecycle concern. Mainstream Microsoft support for Office 2019 ended in October 2025, yet the CVE record still lists the product as affected. Organizations that retain Office 2019 should establish whether their servicing path supplies the July security correction or whether those installations now represent unsupported exposure requiring replacement.
Administrators can reduce immediate risk while updates are being deployed by reinforcing controls around internet-originated Office documents. Protected View, Microsoft Defender SmartScreen, attachment scanning, Attack Surface Reduction rules, and restrictions on files from untrusted locations add useful layers, although none should be substituted for the vendor patch.
Mail and collaboration telemetry can also help identify suspicious workbook delivery. Defenders should watch for Excel spawning command interpreters, scripting engines, download utilities, or unfamiliar child processes, particularly after a document was retrieved from email or cloud storage.
The absence of detected exploitation on July 14 is the favorable part of Microsoft’s assessment. The less favorable part is that CVE-2026-55044 requires no prior attacker privileges and has low attack complexity once a victim opens the crafted file. Enterprises should use that window to deploy KB5002886, update Click-to-Run and Mac installations, and bring Office Online Server to version 16.0.10417.20175 before a malicious workbook turns an ordinary spreadsheet workflow into an initial-access route.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: June 9, 2026 (KB5002877) | Microsoft Support
Description of the security update for Excel 2016: June 9, 2026 (KB5002877)support.microsoft.com - Related coverage: techradar.com
An ancient Microsoft Excel security flaw could let hackers hijack your entire system, so patch now | TechRadar
CISA is warning about ongoing exploitation of a 2008 bugwww.techradar.com