Microsoft has patched CVE-2026-55054, an information-disclosure vulnerability in Excel that can expose sensitive memory when a user interacts with malicious content. The flaw carries a CVSS 3.1 base score of 6.5 and affects supported editions of Microsoft 365 Apps, Office 2019, Office LTSC, Excel 2016, Office for Mac, and Office Online Server.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability is caused by an out-of-bounds read in Microsoft Office Excel. Administrators should deploy the applicable July Office security updates rather than treating the medium-severity score as permission to defer remediation.
Microsoft’s description is brief, and the National Vulnerability Database is still awaiting its own enrichment analysis. The available record nevertheless confirms the underlying weakness, affected product range, attack prerequisites, and potential confidentiality impact.
CVE-2026-55054 has the vector
That final condition matters. This is not an unauthenticated service flaw that an attacker can automatically exploit simply by locating a vulnerable machine on the internet. The likely route is content delivered through email, a download, a collaboration platform, or another channel that persuades the recipient to open or process it with Excel.
Microsoft characterizes the result as information disclosure over a network. The confidentiality component of the CVSS vector is rated High, while integrity and availability are rated None. Successful exploitation is therefore intended to retrieve information rather than modify spreadsheets, install malware, or crash the system.
The weakness is catalogued as CWE-125, an out-of-bounds read. This class of bug occurs when software reads beyond the intended boundary of a memory buffer. Depending on the data located next to that buffer and the reliability of the technique, an attacker may be able to expose memory that should never have been returned to the document or remote party.
Microsoft has not publicly documented exactly what information can be recovered, how much memory may be exposed, or the workbook structure needed to trigger the faulty code path. There is also no public proof-of-concept included in the advisory. Those omissions limit defenders’ ability to build a precise detection rule, but they do not reduce the need to patch the parser responsible for handling the content.
Affected releases include:
That distinction is easy to miss in mixed estates. KB5002886 is intended for MSI-based Excel 2016 and is not the package used to service Microsoft 365 Apps. Endpoint reports that merely say “Office 16” may therefore be insufficient for deployment targeting; administrators need to distinguish MSI, Click-to-Run, channel, architecture, and installed build.
Office Online Server also deserves separate attention. A server-side Office component can process files outside the conventional desktop workflow, so administrators should not assume that mail filtering or Protected View on endpoints covers every possible route to the vulnerable Excel code. Microsoft associates the Office Online Server correction with the July security update KB5002884, which brings the relevant build to 16.0.10417.20175.
Spreadsheets routinely cross trust boundaries. Finance teams receive workbooks from suppliers, recruiters handle attachments from applicants, and administrators export operational data into Excel for analysis. Attackers do not need an unusual delivery channel when
The lack of integrity and availability impact also means this issue may not produce the obvious symptoms associated with destructive attacks. A successful disclosure could leave the workbook appearing to open normally. Endpoint telemetry may record little beyond Excel opening a document and communicating with a remote destination, depending on the precise exploitation method and the organization’s monitoring coverage.
CISA’s initial SSVC data recorded no known exploitation as of July 14 and assessed the vulnerability as not readily automatable, with partial technical impact. That is reassuring for immediate triage, but it is a snapshot rather than a guarantee. The confirmed out-of-bounds read and Microsoft-supplied CVSS vector provide enough technical certainty for defenders to act even while public exploit details remain sparse.
This is where the confidence information surrounding the CVE is useful. CVE-2026-55054 is not merely an unverified report based on unexplained crashes: Microsoft has acknowledged the flaw, assigned a specific weakness category, identified affected versions, and released corrected builds. Confidence in the vulnerability’s existence is therefore high even though the public record does not disclose its full mechanics.
While updates are being validated, existing Office controls can reduce exposure. Organizations can continue blocking unsolicited Office files at high-risk entry points, using Protected View and Microsoft Defender attachment scanning, restricting outbound connections from Office applications where operationally feasible, and isolating documents from untrusted senders.
Those controls should remain supporting layers rather than substitutes for the update. A trusted sender’s account can be compromised, and malicious files can arrive through Teams, SharePoint, OneDrive, browser downloads, removable media, or line-of-business portals instead of conventional email.
Administrators should record at least four items during verification: the Office servicing model, the installed build, the update channel, and whether Office Online Server is present. For Excel 2016, build 16.0.5561.1001 or later is the concrete threshold in Microsoft’s vulnerability record; on Mac, the corresponding threshold is 16.111.26071215.
CVE-2026-55054 is not currently described as exploited in the wild, and it does not provide remote code execution. Its practical risk is narrower but still clear: an unpatched Excel installation can be induced to disclose data after a user handles attacker-controlled content. The July Office rollout closes that path, provided organizations verify the corrected build rather than assuming that an update policy has already delivered it.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability is caused by an out-of-bounds read in Microsoft Office Excel. Administrators should deploy the applicable July Office security updates rather than treating the medium-severity score as permission to defer remediation.
Microsoft’s description is brief, and the National Vulnerability Database is still awaiting its own enrichment analysis. The available record nevertheless confirms the underlying weakness, affected product range, attack prerequisites, and potential confidentiality impact.
A Malicious Workbook Still Needs a User
CVE-2026-55054 has the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, an attacker can deliver the malicious content remotely, requires no existing account or privileges, and faces relatively low attack complexity. Exploitation does, however, require user interaction.That final condition matters. This is not an unauthenticated service flaw that an attacker can automatically exploit simply by locating a vulnerable machine on the internet. The likely route is content delivered through email, a download, a collaboration platform, or another channel that persuades the recipient to open or process it with Excel.
Microsoft characterizes the result as information disclosure over a network. The confidentiality component of the CVSS vector is rated High, while integrity and availability are rated None. Successful exploitation is therefore intended to retrieve information rather than modify spreadsheets, install malware, or crash the system.
The weakness is catalogued as CWE-125, an out-of-bounds read. This class of bug occurs when software reads beyond the intended boundary of a memory buffer. Depending on the data located next to that buffer and the reliability of the technique, an attacker may be able to expose memory that should never have been returned to the document or remote party.
Microsoft has not publicly documented exactly what information can be recovered, how much memory may be exposed, or the workbook structure needed to trigger the faulty code path. There is also no public proof-of-concept included in the advisory. Those omissions limit defenders’ ability to build a precise detection rule, but they do not reduce the need to patch the parser responsible for handling the content.
The Product List Reaches Beyond Excel 2016
The affected inventory is wider than the vulnerability’s Excel branding might initially suggest. Microsoft’s CVE record identifies both Windows and macOS Office products, along with Office Online Server.Affected releases include:
- Microsoft 365 Apps for Enterprise is affected on both 32-bit and 64-bit Windows installations until the appropriate servicing-channel update is installed.
- Microsoft Excel 2016 is affected on 32-bit and 64-bit systems before build 16.0.5561.1001.
- Microsoft Office 2019 is affected and receives its fix through Microsoft’s Office security servicing process.
- Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
- Microsoft 365 and Office 365 for Mac are affected before version 16.111.26071215.
- Office LTSC for Mac 2021 and Office LTSC for Mac 2024 are affected before version 16.111.26071215.
- Office Online Server is affected before build 16.0.10417.20175.
That distinction is easy to miss in mixed estates. KB5002886 is intended for MSI-based Excel 2016 and is not the package used to service Microsoft 365 Apps. Endpoint reports that merely say “Office 16” may therefore be insufficient for deployment targeting; administrators need to distinguish MSI, Click-to-Run, channel, architecture, and installed build.
Office Online Server also deserves separate attention. A server-side Office component can process files outside the conventional desktop workflow, so administrators should not assume that mail filtering or Protected View on endpoints covers every possible route to the vulnerable Excel code. Microsoft associates the Office Online Server correction with the July security update KB5002884, which brings the relevant build to 16.0.10417.20175.
Medium Severity Does Not Mean Trivial Exposure
A 6.5 score places CVE-2026-55054 in the medium range under CVSS 3.1, but the score combines two different characteristics: potentially serious disclosure after exploitation and the need for a person to interact with the content. It does not indicate that the leaked information would necessarily be harmless.Spreadsheets routinely cross trust boundaries. Finance teams receive workbooks from suppliers, recruiters handle attachments from applicants, and administrators export operational data into Excel for analysis. Attackers do not need an unusual delivery channel when
.xlsx, .xls, and related Office files are already expected in everyday business traffic.The lack of integrity and availability impact also means this issue may not produce the obvious symptoms associated with destructive attacks. A successful disclosure could leave the workbook appearing to open normally. Endpoint telemetry may record little beyond Excel opening a document and communicating with a remote destination, depending on the precise exploitation method and the organization’s monitoring coverage.
CISA’s initial SSVC data recorded no known exploitation as of July 14 and assessed the vulnerability as not readily automatable, with partial technical impact. That is reassuring for immediate triage, but it is a snapshot rather than a guarantee. The confirmed out-of-bounds read and Microsoft-supplied CVSS vector provide enough technical certainty for defenders to act even while public exploit details remain sparse.
This is where the confidence information surrounding the CVE is useful. CVE-2026-55054 is not merely an unverified report based on unexplained crashes: Microsoft has acknowledged the flaw, assigned a specific weakness category, identified affected versions, and released corrected builds. Confidence in the vulnerability’s existence is therefore high even though the public record does not disclose its full mechanics.
Patch First, Then Tighten Workbook Handling
The primary action is to install the July 14 Office updates and confirm that devices actually move beyond the vulnerable versions. Security teams should give particular attention to machines held on deferred Microsoft 365 Apps channels, persistent virtual desktops, offline laptops, shared workstations, and legacy MSI-based Office deployments.While updates are being validated, existing Office controls can reduce exposure. Organizations can continue blocking unsolicited Office files at high-risk entry points, using Protected View and Microsoft Defender attachment scanning, restricting outbound connections from Office applications where operationally feasible, and isolating documents from untrusted senders.
Those controls should remain supporting layers rather than substitutes for the update. A trusted sender’s account can be compromised, and malicious files can arrive through Teams, SharePoint, OneDrive, browser downloads, removable media, or line-of-business portals instead of conventional email.
Administrators should record at least four items during verification: the Office servicing model, the installed build, the update channel, and whether Office Online Server is present. For Excel 2016, build 16.0.5561.1001 or later is the concrete threshold in Microsoft’s vulnerability record; on Mac, the corresponding threshold is 16.111.26071215.
CVE-2026-55054 is not currently described as exploited in the wild, and it does not provide remote code execution. Its practical risk is narrower but still clear: an unpatched Excel installation can be induced to disclose data after a user handles attacker-controlled content. The July Office rollout closes that path, provided organizations verify the corrected build rather than assuming that an update policy has already delivered it.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: techradar.com
This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data | TechRadar
There's more than one way to skin an Excel tablewww.techradar.com - Official source: support.microsoft.com
Description of the security update for Excel 2016: June 9, 2026 (KB5002877) | Microsoft Support
Description of the security update for Excel 2016: June 9, 2026 (KB5002877)support.microsoft.com