CVE-2026-50678: Patch Excel Buffer Overflow in July 2026

Microsoft has patched CVE-2026-50678, a Microsoft Excel heap-based buffer overflow that can expose information and disrupt the application when a user interacts with malicious content. Released on July 14, 2026, the flaw affects Microsoft 365 Apps for enterprise, Excel 2016, Office 2019, Office LTSC 2021 and 2024, Office for Mac, and Office Online Server.
Detailed in Microsoft’s Security Update Guide and CVE record, the vulnerability carries a CVSS 3.1 base score of 6.6, placing it in the Medium severity range. Microsoft nevertheless treats the underlying report as confirmed, meaning administrators should not mistake the absence of active exploitation for uncertainty about whether the bug exists.
CISA’s initial assessment recorded no known exploitation as of July 14. No public proof-of-concept exploit was identified at publication time.

A cybersecurity display flags a malicious Excel attachment and heap corruption while showing a protective patch applied.A Buffer Overflow With More Than One Consequence​

CVE-2026-50678 is classified as CWE-122, a heap-based buffer overflow. This class of memory-safety error occurs when software writes more data into a heap allocation than the program reserved, potentially corrupting adjacent memory.
Microsoft describes the security impact as local information disclosure, but the CVSS vector shows a broader range of possible effects:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
The local attack vector and required user interaction mean the flaw cannot simply be triggered against an exposed Excel installation over the network. An attacker must get content onto the target system and persuade a user to interact with it, making email attachments, collaboration platforms, downloads, and shared document repositories the most plausible delivery channels.
Microsoft’s scoring assigns low confidentiality and integrity impact but high availability impact. In practical terms, successful exploitation could reveal some information, alter limited data, and cause a substantial loss of availability, such as terminating Excel or leaving the application unable to process the affected content reliably.
That distinction matters. The vulnerability is not described as a remote code execution flaw, and Microsoft has not said that it gives an attacker complete control of a Windows PC. Administrators should therefore avoid conflating CVE-2026-50678 with the higher-severity Excel vulnerabilities that directly permit arbitrary code execution.
Heap corruption remains unpredictable, however. Even when a vendor’s demonstrated security impact is information disclosure or denial of service, malformed files that reach unsafe native-code parsing routines deserve prompt attention.

Supported Office Branches Need Different Updates​

The affected-product list extends beyond the familiar Microsoft 365 desktop client. Microsoft identifies the following product families as vulnerable:
  • Microsoft 365 Apps for enterprise is affected on 32-bit and 64-bit Windows systems.
  • Microsoft Excel 2016 is affected in versions earlier than 16.0.5561.1001.
  • Microsoft Office 2019 is affected on 32-bit and 64-bit Windows systems.
  • Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
  • Microsoft 365 for Mac is affected in versions earlier than 16.111.26071215.
  • Microsoft Office LTSC for Mac 2021 and 2024 are affected in versions earlier than 16.111.26071215.
  • Office Online Server is affected in versions earlier than 16.0.10417.20175.
The breadth of this list makes deployment verification more important than simply checking whether Windows Update completed. Microsoft 365 Apps, MSI-based Office 2016 installations, perpetual Click-to-Run releases, Mac clients, and Office Online Server follow different servicing paths.
For Microsoft 365 Apps, administrators should consult the Office release history for the update channel assigned to each device. Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel, and their preview variants can receive fixed builds on different schedules. A device reporting that Office is “up to date” may only mean it has reached the newest build approved for its configured channel.
Office 2016 requires particular care because Click-to-Run and Windows Installer editions are serviced differently. The CVE record establishes 16.0.5561.1001 as the corrected threshold for affected Excel 2016 installations, giving inventory teams a concrete version to test rather than relying exclusively on update-installation status.
Mac administrators should verify that Microsoft 365 or Office LTSC has reached at least version 16.111.26071215. Office Online Server operators need to confirm version 16.0.10417.20175 or later on each server in the farm and follow Microsoft’s documented update sequence rather than treating it like a desktop Office installation.

User Interaction Narrows the Attack, Not the Patch Priority​

The CVSS metrics specify low attack complexity, no privileges required, and required user interaction. An attacker does not need an existing authenticated account on the victim’s computer, but exploitation is not automatic: a user or user-initiated process must participate.
This makes CVE-2026-50678 a natural fit for document-based social engineering. Finance, payroll, procurement, sales, and operations teams routinely open externally supplied spreadsheets, often under time pressure and with little ability to validate the sender’s file-generation software.
Protected View, Mark of the Web handling, mail filtering, and attachment sandboxing can reduce exposure, but Microsoft has not presented those controls as substitutes for installing the security update. Organizations that permit users to bypass Protected View warnings or routinely remove Mark of the Web metadata weaken some of the most useful layers between an untrusted workbook and Excel’s parsing code.
Security teams should also consider automated workflows. A vulnerability requiring user interaction may still reach systems through preview handlers, document-conversion tools, scripted Excel automation, or server-side Office services, depending on the exact vulnerable processing path. Microsoft’s public description does not provide enough technical detail to conclude that every noninteractive workflow is exposed, but Office Online Server’s inclusion makes server inventory necessary.
The lack of known exploitation lowers the immediate incident-response pressure. It does not eliminate the value of patching before technical analysis or proof-of-concept material becomes public.

Deployment Should Focus on Proof, Not Assumptions​

For managed Windows estates, the immediate job is to identify every affected Office servicing model and confirm that the July 2026 security release actually reached it. Microsoft Intune, Configuration Manager, Microsoft 365 Apps admin center inventory, Defender Vulnerability Management, and other software-management platforms can help separate patched devices from machines merely awaiting an update-channel deadline.
Administrators should prioritize users who regularly receive spreadsheets from outside the organization, shared workstations running 32-bit Office, unsupported line-of-business add-ins that delay Office updates, and Office Online Server farms. Pilot testing remains sensible where Excel add-ins or financial models are business-critical, but a compatibility test should have a defined completion date rather than becoming an indefinite deferral.
Until patch coverage is confirmed, organizations can reduce exposure by restricting unexpected Excel attachments, preserving Mark of the Web metadata, enforcing Protected View, and routing suspicious workbooks through approved analysis systems. Users should be reminded that a familiar invoice, purchase order, or shared-report theme does not make an attachment trustworthy.
CVE-2026-50678 is confirmed but not known to be exploited, and its local, user-assisted attack path keeps it below emergency zero-day status. The practical milestone is straightforward: Windows Office deployments must reach their applicable July 2026 security build, Excel 2016 must be at 16.0.5561.1001 or later, Mac clients must reach 16.111.26071215, and Office Online Server must reach 16.0.10417.20175 before administrators can close the exposure.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: techradar.com
  3. Official source: support.microsoft.com
 

Back
Top