CVE-2026-47642: Update Excel to Fix 7.8 RCE Flaw

CVE-2026-47642 is an Important-severity Microsoft Excel flaw that can give an attacker code execution after the vulnerable workbook or related content is processed on the target device. Microsoft calls it a Remote Code Execution vulnerability even though its CVSS vector begins with AV:L, because “remote” describes the attacker’s position in the broader attack scenario, while the CVSS Attack Vector describes where the vulnerable operation must occur.
Published with Microsoft’s July 14, 2026 security updates, the use-after-free vulnerability carries a CVSS 3.1 base score of 7.8. Microsoft’s advisory and the National Vulnerability Database describe it more precisely as allowing an unauthorized attacker to execute code locally, with user interaction required.
That combination is not contradictory. It distinguishes the eventual impact—attacker-controlled code—from the technical boundary across which exploitation takes place.

Infographic showing a malicious Excel macro exploiting memory corruption for remote code execution.Remote Delivery Does Not Make the Parser Network-Reachable​

The full Microsoft-supplied vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Its most important elements for understanding the naming are Local Attack Vector, low attack complexity, no privileges required and required user interaction.
In practical terms, Excel is not presented as a network service that an unauthenticated attacker can directly target across the internet. Something must happen on the affected computer, such as a user opening attacker-controlled content or another local process causing Excel’s vulnerable code to process it.
The attacker can still be physically and geographically remote. A malicious document might arrive through email, a collaboration platform, cloud storage, a download or another delivery channel, but the memory-corruption trigger is reached when Excel processes the content locally.
This is the distinction Microsoft makes in its advisory:
  • The attacker may be remote from the victim and use remotely delivered content.
  • The vulnerable Excel code executes on the victim’s device.
  • Exploitation requires an action on that local device.
  • Successful exploitation can run attacker-controlled code in the affected user’s security context.
Calling the issue arbitrary code execution, or ACE, would avoid some of the linguistic confusion. Microsoft nevertheless uses Remote Code Execution as an impact category for many Office vulnerabilities in which a remote attacker can prepare and deliver content that ultimately results in code execution on the recipient’s computer.

CVSS Scores the Exploitation Boundary, Not the Email Route​

CVSS Attack Vector does not answer “Could an attacker send this from another country?” It measures the access path required to reach the vulnerable component.
An AV:N vulnerability generally means exploitation can cross a network boundary directly. A vulnerable service may accept a malicious packet, request or protocol message without the attacker first obtaining local execution or persuading a user to process a file.
AV:L instead means the exploit must be initiated from the target system’s local context. For CVE-2026-47642, Microsoft says either the attacker or the victim must execute code locally to trigger the vulnerable behavior. The UI:R component reinforces that this is not described as a completely unattended, internet-facing compromise.
That does not necessarily mean the attacker already needs a Windows account. The vector contains PR:N, indicating that prior privileges are not required. A common Office attack chain can therefore begin with an external attacker, move through document delivery and social engineering, and finish with local parsing and code execution when the recipient interacts with the content.
The local rating consequently lowers the CVSS score compared with a fully network-reachable, no-interaction flaw. It does not reduce the final damage metrics: Microsoft assigns High confidentiality, integrity and availability impact, reflecting the potential consequences of successful code execution.

A Use-After-Free Turns Excel Content Into Code Execution​

Microsoft classifies CVE-2026-47642 as CWE-416, Use After Free. This class of memory-safety bug occurs when software continues using an object or memory region after it has been released.
An attacker who can influence the program’s memory state may be able to replace or manipulate the freed data before Excel uses it again. Depending on platform protections and the precise implementation, that can turn a crash into controlled execution.
Microsoft has not published enough technical detail to reconstruct the exact workbook structure or Excel feature involved. Administrators should therefore avoid assuming that disabling macros alone eliminates the risk. A memory-corruption vulnerability in Excel’s native processing code is a different category from a malicious VBA macro, even when both attacks may arrive as spreadsheet content.
The National Vulnerability Database was still enriching the record on July 15, one day after publication. Its current entry repeats Microsoft’s local-code-execution description and the 7.8 CVSS score rather than providing an independent NIST assessment.
There was also no indication in the initial public data that CVE-2026-47642 had been exploited in the wild or publicly disclosed before Microsoft’s update. The Zero Day Initiative’s July security review listed both exploitation and public disclosure as “No.” That lowers immediate incident-response urgency compared with an active zero-day, but it does not make continued exposure safe.

The Patch Reaches Windows, Mac and Office Online Server​

The affected-product data covers both desktop and server-side Office deployments. Microsoft lists Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024 and corresponding 32-bit and 64-bit installations among the affected Windows products.
Microsoft 365 and LTSC editions on macOS are also affected. The corrected Mac release is version 16.111.26071215; installations older than that build remain within the vulnerable range identified in the CVE record.
Office Online Server is affected below version 16.0.10417.20175. Microsoft’s July update for that product is associated with KB5002884, making server inventory especially important for organizations that may focus primarily on desktop Excel deployments.
Microsoft 365 Apps normally receives Office security fixes through its servicing channel, while perpetual Office and Office Online Server installations may require conventional update deployment and compliance verification. Administrators should confirm the installed Office build rather than relying solely on the presence of July’s Windows cumulative update, because Office servicing is a separate patch path.
Email filtering, Microsoft Defender protections, Protected View and restrictions on untrusted Office content remain useful layers. None should be treated as a substitute for updating, particularly because Microsoft has not disclosed enough exploit detail to define a complete workaround.
For CVE-2026-47642, Remote Code Execution names the outcome and attacker scenario; AV:L names the point at which exploitation happens. The attack may begin remotely, but Excel must encounter the trigger locally—and that local step can still end with attacker-controlled code running on the user’s machine.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top