CVE-2026-54988: July 14 Excel Updates Fix Memory Leak and Crashes

CVE-2026-54988 can expose a limited amount of memory from Microsoft Excel and then force the affected application or service to become unavailable. Microsoft rates the flaw 6.1, Medium, with the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H, making the availability impact considerably more serious than the information leak suggested by the vulnerability’s title.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is an out-of-bounds read in Microsoft Office Excel. The National Vulnerability Database lists Microsoft as the assigning authority and identifies the underlying weakness as CWE-125.
The short version is that a successful attacker may be able to read memory Excel was not supposed to expose, but not choose or alter workbook data directly. The same invalid memory access may also crash Excel or an Excel-based service, accounting for the unusually high availability rating.

Cybersecurity-themed computer graphic shows an Excel spreadsheet, data transfer, security icons, and an “out-of-bounds read” warning.The CVSS Vector Describes Two Different Consequences​

The vulnerability’s title emphasizes information disclosure because the underlying programming error lets Excel read outside the intended boundaries of a memory buffer. That can expose fragments of data already present in the application’s memory, potentially including workbook content, temporary values, file paths, or other process information.
Microsoft assigns confidentiality a Low rating, written as C:L. Under the CVSS 3.1 specification maintained by FIRST, Low means some restricted information may be obtained, but the attacker either lacks control over exactly what is disclosed or the amount and type of exposed information are limited. It does not mean that every cell, workbook, credential, or file on the computer can be retrieved.
Integrity is rated None, or I:N. Based on the demonstrated effect used for scoring, exploitation does not let the attacker modify spreadsheets, overwrite files, change formulas, install software, or alter system settings. This is not a remote-code-execution or privilege-escalation vulnerability.
Availability is rated High, or A:H, because the malformed memory operation can have a much more disruptive operational effect. Excel may terminate, hang, or become unusable after processing malicious content. In a server deployment, repeated exploitation could potentially prevent users from accessing the affected Excel-processing function.
That distinction matters: CVSS availability measures whether the affected component continues operating, not whether the contents of a workbook still exist. An Excel crash can therefore produce a High availability impact even when documents remain intact on disk.
High availability impact does not automatically mean the entire Windows computer will crash. The component at risk is generally Excel or the Office service processing the content. Microsoft’s published description does not characterize CVE-2026-54988 as a Windows kernel vulnerability or claim that exploitation causes a system-wide failure.

Exploitation Still Requires a Local Path and User Action​

The rest of the vector limits the practical attack scenario. AV:L means the attack vector is Local rather than Network. An attacker cannot simply scan an exposed Windows PC over the internet and exploit Excel without another delivery or access mechanism.
UI:R means user interaction is required. In a typical Office attack chain, this would involve convincing a user to open or process specially crafted content. Microsoft’s short public description does not provide the exact file format, workbook feature, or interaction needed to reach the vulnerable code path, so administrators should not assume that only traditional .xlsx attachments are relevant.
The PR:N rating indicates that the attacker does not need to be authenticated or already hold privileges in the vulnerable component before setting up the attack. That may sound inconsistent with a Local attack vector, but the two metrics measure different things. A malicious file delivered by email, chat, a shared drive, or a downloaded archive can be opened locally without the sender possessing an account on the victim’s computer.
Attack complexity is Low, represented by AC:L. CVSS uses that value when exploitation does not depend on specialized conditions outside the attacker’s control. It does not prove that exploit code is publicly available; it means that once the required user interaction occurs, Microsoft does not consider the technical prerequisites unusually difficult or unreliable.
Scope is Unchanged, or S:U, meaning the security impact remains within the authority of the affected Excel component. Microsoft’s score does not claim that the flaw crosses a security boundary into another Windows service or administrative context.
Together, the vector describes a malicious-content scenario rather than a self-propagating network attack:
  • An attacker prepares content that triggers Excel’s out-of-bounds read.
  • The attacker gets a user or an application workflow to process that content.
  • Excel may expose a limited fragment of process memory.
  • The same operation may crash or disable the affected Excel component.
  • The attacker does not gain a scored ability to modify data or execute arbitrary code.
Microsoft has not publicly documented active exploitation in the advisory material available at publication. CISA’s initial Stakeholder-Specific Vulnerability Categorization record also marked exploitation as none and assessed the technical impact as partial. Those indicators can change as researchers and defenders investigate newly published Patch Tuesday vulnerabilities.

Desktop Excel Is Not the Only Deployment in Scope​

Microsoft’s affected-product data covers both Windows and macOS editions of Office. It includes Microsoft 365 Apps for enterprise, Excel 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024.
Office 365 for Mac and Office LTSC for Mac 2021 and 2024 are also affected below version 16.111.26071215. The inclusion of Mac builds reinforces that this is an Excel or Office code defect rather than a vulnerability confined to Windows.
Office Online Server is affected before version 16.0.10417.20175. That entry deserves attention from enterprise administrators because availability failures on a shared server have a different operational footprint from an Excel crash on one workstation. A malicious document repeatedly submitted to a vulnerable server-side workflow could disrupt access for multiple users, depending on how the service handles failures and restarts.
Excel 2016 is listed as affected before 16.0.5561.1001 on both 32-bit and 64-bit systems. Microsoft directs Click-to-Run and newer Office customers to the applicable Office security release information because build numbers differ by product and servicing channel.
For managed Microsoft 365 Apps deployments, administrators should verify that devices have received the July 14, 2026 Office security updates rather than relying solely on Windows Update compliance. Office update channels, deployment rings, update deadlines, and disabled automatic updates can leave Excel behind even when the underlying Windows installation is fully patched.

Availability Raises the Priority for Shared Workflows​

CVE-2026-54988 is not scored like an Excel takeover. The confidentiality loss is constrained, there is no scored data modification, and exploitation requires someone or something to process malicious content locally. Those factors justify its Medium base score.
The A:H metric nevertheless makes it relevant to organizations that use Excel as part of automated reporting, financial processing, document conversion, or Office Online Server workflows. A repeatable Excel crash can interrupt scheduled jobs, block document previews, strand users in shared sessions, or trigger repeated service restarts even if the attacker never obtains useful memory contents.
Email filtering, Protected View, Mark of the Web handling, application control, and restrictions on untrusted Office documents can reduce exposure, but they should not replace the vendor update. Organizations should prioritize Office Online Server and unattended systems that automatically ingest spreadsheets, then update interactive Excel installations through their normal validation rings.
The practical reading of Microsoft’s metrics is therefore narrower than “attackers can steal your Excel files,” but more disruptive than the Information Disclosure label alone suggests: CVE-2026-54988 can leak a limited, unpredictable slice of Excel memory and can reliably threaten the availability of the affected Excel component. The July 14 Office updates are the concrete fix, and administrators should confirm the installed Office build rather than treating Windows patch status as proof that Excel is protected.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top