Microsoft has patched CVE-2026-50408, an Important-rated Excel information disclosure vulnerability that can expose sensitive memory contents when a user interacts with a malicious file. The flaw affects Microsoft 365 Apps for enterprise, Excel 2016, Office 2019, Office LTSC 2021 and 2024, Office for Mac, and Office Online Server.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability carries a CVSS 3.1 base score of 5.5. Microsoft describes the underlying weakness as an out-of-bounds read in Excel, meaning the application can be induced to read data beyond the memory region it was supposed to access.
The result is a confidentiality problem rather than code execution: a successful attack could disclose information, but Microsoft’s scoring indicates no direct loss of data integrity or system availability. The company has released fixes through the affected Office servicing channels, including KB5002886 for the MSI-based edition of Excel 2016 and KB5002884 for Office Online Server.
CVE-2026-50408 is classified as a local attack with low complexity. It requires no existing privileges, but it does require user interaction, which strongly suggests that an attacker must persuade a target to open or otherwise process specially crafted Excel content.
That distinction matters. The flaw cannot simply be triggered against an exposed Windows PC over the network, and Microsoft’s CVSS vector does not describe a zero-click path. Email attachments, shared workbooks, collaboration platforms, file-transfer portals, and downloads remain the more credible delivery routes.
The vulnerability’s full CVSS vector is
An out-of-bounds read can reveal information that happens to reside in the affected process’s memory. Exactly what could be recovered will depend on Excel’s state, the crafted document, and the reliability of the attack technique. Microsoft has not publicly documented a repeatable recipe for extracting a particular password, workbook value, authentication token, or other specific data type, so administrators should avoid treating those outcomes as established facts.
The CVSS score includes report confidence: confirmed. That metric is often misunderstood as evidence that exploitation is underway. It instead means Microsoft considers the vulnerability and its technical basis sufficiently established, whether through vendor validation, detailed research, or functional reproduction.
Microsoft’s vector also marks exploit-code maturity as unproven and remediation as an official fix. As of the initial July 14 advisory, the available information does not establish public disclosure before the coordinated release or active exploitation in the wild.
The affected product list published with the CVE includes:
For MSI-based Excel 2016, Microsoft says KB5002886 replaces the earlier KB5002865 update. The July package is available through Microsoft Update, the Microsoft Update Catalog, and the Microsoft Download Center, with separate x86 and x64 installers. Microsoft lists 16.0.5561.1001 as the corrected Excel 2016 version threshold.
Office Online Server needs separate attention because it may be treated as infrastructure rather than as part of the desktop Office fleet. Microsoft associates CVE-2026-50408 with the July 14 Office Online Server security update KB5002884. Administrators should verify the installed server build after patching rather than assuming desktop Office policies cover it.
The inclusion of Office for Mac also prevents this from being handled as a Windows-only exposure. Mac administrators should confirm that supported installations have reached build 16.111.26071215 or newer, including devices that may not regularly connect to corporate management systems.
The relatively modest base score is largely explained by the need for local interaction and the absence of integrity or availability damage. The confidentiality impact, however, is rated high. In environments where users handle financial models, customer records, internal forecasts, research data, or regulated information in Excel, a memory-disclosure flaw still deserves prompt deployment.
It should not outrank an actively exploited remote-code-execution vulnerability solely because Excel is widely installed. Conversely, administrators should not defer it indefinitely because its CVSS score begins with a five. Its most natural place is in the normal July Office security rollout, accelerated for systems that routinely receive untrusted spreadsheets.
Email and web controls remain useful layers while updates propagate. Blocking unexpected workbook attachments, retaining Mark of the Web metadata, using Protected View, and isolating externally sourced files can reduce opportunities for user-assisted exploitation. Those controls are not substitutes for installing the corrected Office builds, particularly because legitimate collaboration workflows frequently require users to open spreadsheets from outside their organization.
Administrators should identify the Office product, architecture, update technology, channel, and installed build on each system. For Excel 2016 MSI installations, KB5002886 and version 16.0.5561.1001 provide concrete verification points. Microsoft 365 Apps, Office 2019, and Office LTSC systems should be checked against Microsoft’s July 2026 Office security release builds for their assigned channels.
Security teams should also account for machines that missed the July 14 maintenance window, including powered-off laptops, virtual desktops kept in a suspended state, and systems excluded from normal Office updates because of add-in compatibility testing. Excel add-ins and line-of-business integrations justify staged validation, but they do not remove the underlying exposure.
CVE-2026-50408 is not presented as an actively exploited Excel zero-day, and exploitation requires a user to participate. The concrete action is nevertheless straightforward: deploy the July 14, 2026 Office fixes, verify the resulting product versions, and make sure Office Online Server and Mac installations are not left outside a Windows-centered patch campaign.
Detailed in the Microsoft Security Response Center’s July 14, 2026 advisory, the vulnerability carries a CVSS 3.1 base score of 5.5. Microsoft describes the underlying weakness as an out-of-bounds read in Excel, meaning the application can be induced to read data beyond the memory region it was supposed to access.
The result is a confidentiality problem rather than code execution: a successful attack could disclose information, but Microsoft’s scoring indicates no direct loss of data integrity or system availability. The company has released fixes through the affected Office servicing channels, including KB5002886 for the MSI-based edition of Excel 2016 and KB5002884 for Office Online Server.
A Malicious Workbook Still Needs a User
CVE-2026-50408 is classified as a local attack with low complexity. It requires no existing privileges, but it does require user interaction, which strongly suggests that an attacker must persuade a target to open or otherwise process specially crafted Excel content.That distinction matters. The flaw cannot simply be triggered against an exposed Windows PC over the network, and Microsoft’s CVSS vector does not describe a zero-click path. Email attachments, shared workbooks, collaboration platforms, file-transfer portals, and downloads remain the more credible delivery routes.
The vulnerability’s full CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C. In practical terms, Microsoft assigns a high potential confidentiality impact while leaving integrity and availability unaffected.An out-of-bounds read can reveal information that happens to reside in the affected process’s memory. Exactly what could be recovered will depend on Excel’s state, the crafted document, and the reliability of the attack technique. Microsoft has not publicly documented a repeatable recipe for extracting a particular password, workbook value, authentication token, or other specific data type, so administrators should avoid treating those outcomes as established facts.
The CVSS score includes report confidence: confirmed. That metric is often misunderstood as evidence that exploitation is underway. It instead means Microsoft considers the vulnerability and its technical basis sufficiently established, whether through vendor validation, detailed research, or functional reproduction.
Microsoft’s vector also marks exploit-code maturity as unproven and remediation as an official fix. As of the initial July 14 advisory, the available information does not establish public disclosure before the coordinated release or active exploitation in the wild.
The Affected Office Footprint Extends Beyond Excel 2016
Although Microsoft’s standalone support article is specifically named for Excel 2016, the CVE record covers a substantially wider Office estate. Both 32-bit and 64-bit deployments are affected where those platform distinctions apply.The affected product list published with the CVE includes:
- Microsoft 365 Apps for enterprise requires the applicable July 2026 Office security release for its update channel.
- Microsoft Excel 2016 installations older than version 16.0.5561.1001 are affected.
- Microsoft Office 2019 is affected and receives remediation through its Office servicing channel.
- Microsoft Office LTSC 2021 and Office LTSC 2024 are affected.
- Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 require version 16.111.26071215 or later.
- Office Online Server installations older than 16.0.10417.20175 are affected.
For MSI-based Excel 2016, Microsoft says KB5002886 replaces the earlier KB5002865 update. The July package is available through Microsoft Update, the Microsoft Update Catalog, and the Microsoft Download Center, with separate x86 and x64 installers. Microsoft lists 16.0.5561.1001 as the corrected Excel 2016 version threshold.
Office Online Server needs separate attention because it may be treated as infrastructure rather than as part of the desktop Office fleet. Microsoft associates CVE-2026-50408 with the July 14 Office Online Server security update KB5002884. Administrators should verify the installed server build after patching rather than assuming desktop Office policies cover it.
The inclusion of Office for Mac also prevents this from being handled as a Windows-only exposure. Mac administrators should confirm that supported installations have reached build 16.111.26071215 or newer, including devices that may not regularly connect to corporate management systems.
Microsoft’s “Important” Rating Carries More Weight Than the Number Alone
A CVSS score of 5.5 falls into the Medium range under the standard numerical bands, yet Microsoft rates CVE-2026-50408 as Important. The difference reflects two related but distinct systems: CVSS describes technical characteristics, while Microsoft’s severity rating informs the vendor’s product-specific remediation guidance.The relatively modest base score is largely explained by the need for local interaction and the absence of integrity or availability damage. The confidentiality impact, however, is rated high. In environments where users handle financial models, customer records, internal forecasts, research data, or regulated information in Excel, a memory-disclosure flaw still deserves prompt deployment.
It should not outrank an actively exploited remote-code-execution vulnerability solely because Excel is widely installed. Conversely, administrators should not defer it indefinitely because its CVSS score begins with a five. Its most natural place is in the normal July Office security rollout, accelerated for systems that routinely receive untrusted spreadsheets.
Email and web controls remain useful layers while updates propagate. Blocking unexpected workbook attachments, retaining Mark of the Web metadata, using Protected View, and isolating externally sourced files can reduce opportunities for user-assisted exploitation. Those controls are not substitutes for installing the corrected Office builds, particularly because legitimate collaboration workflows frequently require users to open spreadsheets from outside their organization.
Patch Verification Is the Real Administrative Task
The chief deployment risk is fragmentation. An organization may have Microsoft 365 Apps on Current Channel, Office LTSC on fixed workstations, an old MSI-based Excel 2016 installation attached to a business application, Office for Mac on executive devices, and Office Online Server in a separate server-management scope. A single “Office patched” status can conceal gaps across those servicing models.Administrators should identify the Office product, architecture, update technology, channel, and installed build on each system. For Excel 2016 MSI installations, KB5002886 and version 16.0.5561.1001 provide concrete verification points. Microsoft 365 Apps, Office 2019, and Office LTSC systems should be checked against Microsoft’s July 2026 Office security release builds for their assigned channels.
Security teams should also account for machines that missed the July 14 maintenance window, including powered-off laptops, virtual desktops kept in a suspended state, and systems excluded from normal Office updates because of add-in compatibility testing. Excel add-ins and line-of-business integrations justify staged validation, but they do not remove the underlying exposure.
CVE-2026-50408 is not presented as an actively exploited Excel zero-day, and exploitation requires a user to participate. The concrete action is nevertheless straightforward: deploy the July 14, 2026 Office fixes, verify the resulting product versions, and make sure Office Online Server and Mac installations are not left outside a Windows-centered patch campaign.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: June 9, 2026 (KB5002877) | Microsoft Support
Description of the security update for Excel 2016: June 9, 2026 (KB5002877)support.microsoft.com - Related coverage: techradar.com
An ancient Microsoft Excel security flaw could let hackers hijack your entire system, so patch now | TechRadar
CISA is warning about ongoing exploitation of a 2008 bugwww.techradar.com