Microsoft has patched CVE-2026-48580, an Important-rated information disclosure vulnerability in Excel that can expose sensitive memory when a user interacts with malicious content. The flaw affects Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021 and 2024, Office for Mac, and Office Online Server.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability is caused by an untrusted pointer dereference in Microsoft Office Excel. Microsoft says an unauthorized attacker can exploit the weakness locally, but successful exploitation requires user interaction.
The CVE carries a CVSS 3.1 base score of 5.5. That number puts it in the medium range numerically, but Microsoft classifies the vulnerability as Important because a successful attack can have a high impact on confidentiality.
Microsoft’s CVSS vector for CVE-2026-48580 is
Microsoft has not published a proof of concept or a step-by-step description of the triggering document structure. However, the local attack vector and required user interaction point toward a malicious workbook or another Office document that reaches Excel’s vulnerable processing path.
An attacker could distribute such a file through email, Microsoft Teams, cloud-storage links, collaboration platforms, compromised websites, or shared network folders. The vulnerability is not described as a network service that can be attacked directly simply because Excel is installed.
The underlying weakness is tracked as CWE-822, Untrusted Pointer Dereference. This class of bug occurs when software uses a pointer without adequately establishing that it references valid, trustworthy memory. Depending on the surrounding code and memory state, that mistake can cause a crash, expose data, or sometimes become a building block for a more complex exploit.
For CVE-2026-48580, Microsoft has scored only the confidentiality impact as high. The CVSS assessment does not credit the vulnerability with the ability to modify data, execute arbitrary code, or disrupt availability. That distinction matters: this is an information disclosure issue, not one of the numerous Excel remote-code-execution vulnerabilities also addressed in the July release.
Still, information leaked from an Office process could be valuable. Memory may contain workbook data, fragments of other documents, authentication material, file paths, addresses useful for bypassing exploit mitigations, or application state that helps an attacker prepare a second stage. Microsoft has not specified exactly what information can be recovered in this case, so administrators should not assume that every exploitation attempt would expose credentials or complete documents.
Affected products include:
Excel 2016 also requires deliberate inventory work. Microsoft released KB5002886 for its MSI-based deployment, and vulnerability scanners may continue to flag machines reporting an Excel version below 16.0.5561.1001. Organizations that retain Office 2016 for compatibility with macros, add-ins, manufacturing software, or line-of-business applications should confirm the installed file version rather than relying solely on a successful Windows Update scan.
For Microsoft 365 Apps and supported perpetual Click-to-Run editions, Microsoft directs customers toward the latest Office security releases rather than supplying one universal version number. Different update channels can legitimately report different builds, making compliance checks more complicated than searching every endpoint for the same binary version.
Confirmed means Microsoft or sufficiently detailed technical evidence has established that the vulnerability exists. It does not mean exploitation has been observed in customer environments, that exploit code is publicly available, or that attackers are already circulating weaponized spreadsheets.
At publication, Microsoft assessed exploitation as less likely and indicated that CVE-2026-48580 was neither publicly disclosed nor known to be exploited. Its temporal vector includes
Those factors reduce the temporal score, but they should not turn the update into optional maintenance. The combination of low attack complexity, no privilege requirement, and high confidentiality impact makes the flaw relevant anywhere users routinely exchange spreadsheets with customers, suppliers, contractors, or other external parties.
The vulnerability also arrived in a crowded July 2026 Office release. BleepingComputer’s Patch Tuesday accounting lists numerous Excel information disclosure and remote code execution issues alongside CVE-2026-48580. Administrators therefore gain little by trying to isolate and deploy only the fix for this CVE; the applicable cumulative or Office security update addresses a wider set of document-processing risks.
Protected View, Mark of the Web handling, email filtering, attachment detonation, and endpoint detection can reduce exposure, but Microsoft has not presented any of them as a complete mitigation for CVE-2026-48580. Security teams should avoid assuming that macro blocking alone solves the problem; the advisory describes a memory-handling error, not a malicious VBA requirement.
The most useful administrative checks are concrete:
CVE-2026-48580 is not a zero-day emergency according to Microsoft’s initial assessment, but its wide product coverage makes deployment completeness the real challenge. The immediate milestone for IT teams is not merely approving the July Office updates; it is proving that older Excel 2016 installations, Mac clients, Click-to-Run channels, and Office Online Server have all crossed their respective fixed-version thresholds.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability is caused by an untrusted pointer dereference in Microsoft Office Excel. Microsoft says an unauthorized attacker can exploit the weakness locally, but successful exploitation requires user interaction.
The CVE carries a CVSS 3.1 base score of 5.5. That number puts it in the medium range numerically, but Microsoft classifies the vulnerability as Important because a successful attack can have a high impact on confidentiality.
A Malicious Workbook Is the Likely Delivery Mechanism
Microsoft’s CVSS vector for CVE-2026-48580 is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, the attacker does not need an existing account or elevated privileges, and the technical complexity of exploitation is considered low. The obstacle is that another person must participate by opening or otherwise interacting with attacker-controlled Excel content.Microsoft has not published a proof of concept or a step-by-step description of the triggering document structure. However, the local attack vector and required user interaction point toward a malicious workbook or another Office document that reaches Excel’s vulnerable processing path.
An attacker could distribute such a file through email, Microsoft Teams, cloud-storage links, collaboration platforms, compromised websites, or shared network folders. The vulnerability is not described as a network service that can be attacked directly simply because Excel is installed.
The underlying weakness is tracked as CWE-822, Untrusted Pointer Dereference. This class of bug occurs when software uses a pointer without adequately establishing that it references valid, trustworthy memory. Depending on the surrounding code and memory state, that mistake can cause a crash, expose data, or sometimes become a building block for a more complex exploit.
For CVE-2026-48580, Microsoft has scored only the confidentiality impact as high. The CVSS assessment does not credit the vulnerability with the ability to modify data, execute arbitrary code, or disrupt availability. That distinction matters: this is an information disclosure issue, not one of the numerous Excel remote-code-execution vulnerabilities also addressed in the July release.
Still, information leaked from an Office process could be valuable. Memory may contain workbook data, fragments of other documents, authentication material, file paths, addresses useful for bypassing exploit mitigations, or application state that helps an attacker prepare a second stage. Microsoft has not specified exactly what information can be recovered in this case, so administrators should not assume that every exploitation attempt would expose credentials or complete documents.
The Affected Office Footprint Is Broad
The CVE record identifies both Windows and macOS editions, along with Office Online Server. This is not an Excel 2016-only issue, although that perpetual release has a conventional KB package and a clearly documented fixed version.Affected products include:
- Microsoft 365 Apps for enterprise on 32-bit and 64-bit Windows systems must be brought to a current security release.
- Microsoft Excel 2016 must be updated to version 16.0.5561.1001 or later through KB5002886.
- Microsoft Office 2019 on 32-bit and 64-bit Windows systems must receive the applicable Office security release.
- Microsoft Office LTSC 2021 and Office LTSC 2024 on Windows must receive their current security updates.
- Microsoft 365 and Office LTSC installations on macOS must be updated to version 16.111.26071215 or later.
- Office Online Server must be updated to build 16.0.10417.20175 or later.
Excel 2016 also requires deliberate inventory work. Microsoft released KB5002886 for its MSI-based deployment, and vulnerability scanners may continue to flag machines reporting an Excel version below 16.0.5561.1001. Organizations that retain Office 2016 for compatibility with macros, add-ins, manufacturing software, or line-of-business applications should confirm the installed file version rather than relying solely on a successful Windows Update scan.
For Microsoft 365 Apps and supported perpetual Click-to-Run editions, Microsoft directs customers toward the latest Office security releases rather than supplying one universal version number. Different update channels can legitimately report different builds, making compliance checks more complicated than searching every endpoint for the same binary version.
“Confirmed” Describes Evidence, Not Active Attacks
The advisory’s report-confidence metric is marked Confirmed. That wording can sound more alarming than Microsoft intends, particularly when copied into automated vulnerability-management tickets without the rest of the CVSS context.Confirmed means Microsoft or sufficiently detailed technical evidence has established that the vulnerability exists. It does not mean exploitation has been observed in customer environments, that exploit code is publicly available, or that attackers are already circulating weaponized spreadsheets.
At publication, Microsoft assessed exploitation as less likely and indicated that CVE-2026-48580 was neither publicly disclosed nor known to be exploited. Its temporal vector includes
E:U, meaning unproven exploit code, RL:O, meaning an official fix is available, and RC:C, meaning report confidence is confirmed.Those factors reduce the temporal score, but they should not turn the update into optional maintenance. The combination of low attack complexity, no privilege requirement, and high confidentiality impact makes the flaw relevant anywhere users routinely exchange spreadsheets with customers, suppliers, contractors, or other external parties.
The vulnerability also arrived in a crowded July 2026 Office release. BleepingComputer’s Patch Tuesday accounting lists numerous Excel information disclosure and remote code execution issues alongside CVE-2026-48580. Administrators therefore gain little by trying to isolate and deploy only the fix for this CVE; the applicable cumulative or Office security update addresses a wider set of document-processing risks.
Patch Verification Matters More Than Workbook Policing
There is no vendor-provided workaround listed that offers the same protection as installing the update. Blocking all externally supplied spreadsheets may be impractical, while training users not to open suspicious files remains an imperfect control against documents delivered through trusted or compromised accounts.Protected View, Mark of the Web handling, email filtering, attachment detonation, and endpoint detection can reduce exposure, but Microsoft has not presented any of them as a complete mitigation for CVE-2026-48580. Security teams should avoid assuming that macro blocking alone solves the problem; the advisory describes a memory-handling error, not a malicious VBA requirement.
The most useful administrative checks are concrete:
- Verify that Excel 2016 systems have KB5002886 and report version 16.0.5561.1001 or newer.
- Confirm that Microsoft 365 Apps and Office 2019, LTSC 2021, and LTSC 2024 devices completed their July 2026 security update cycle.
- Confirm that Office for Mac installations have reached version 16.111.26071215 or later.
- Inventory Office Online Server separately and verify build 16.0.10417.20175 or later.
- Investigate endpoints whose Office update channel is stalled, disabled, or significantly behind its assigned servicing baseline.
CVE-2026-48580 is not a zero-day emergency according to Microsoft’s initial assessment, but its wide product coverage makes deployment completeness the real challenge. The immediate milestone for IT teams is not merely approving the July Office updates; it is proving that older Excel 2016 installations, Mac clients, Click-to-Run channels, and Office Online Server have all crossed their respective fixed-version thresholds.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: June 9, 2026 (KB5002877) | Microsoft Support
Description of the security update for Excel 2016: June 9, 2026 (KB5002877)support.microsoft.com - Related coverage: techradar.com
This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data | TechRadar
There's more than one way to skin an Excel tablewww.techradar.com