Microsoft has patched CVE-2026-55024, a high-severity Microsoft Excel remote code execution vulnerability that can let an attacker run code after a user opens a malicious file. The flaw carries a CVSS 3.1 base score of 7.8 and affects Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC, Office for Mac, and Office Online Server.
Detailed in Microsoft’s July 14, 2026 security release, the vulnerability is a type confusion bug tracked as CWE-843. Microsoft describes it as Excel accessing a resource through an incompatible type, potentially allowing an unauthorized attacker to execute code in the context of the user running Excel.
Administrators should deploy the applicable July Office updates rather than relying solely on email filtering or user awareness. Microsoft has not disclosed public technical details sufficient to reproduce the vulnerability, but the vendor-confirmed CVE record establishes that the flaw exists, identifies the affected product families, and provides patched version boundaries.
Despite its remote code execution classification, CVE-2026-55024 is not a network-reachable Excel service that an attacker can compromise simply by connecting to a Windows PC. Microsoft’s CVSS vector is AV:L/AC:L/PR:N/UI:R, meaning exploitation uses a local attack vector, requires no existing privileges, has low attack complexity, and depends on user interaction.
The likely enterprise threat model is therefore a malicious workbook delivered through email, a collaboration platform, cloud storage, an instant message, or a download. Microsoft has not published the required file format, malformed object, or precise Excel feature involved, so defenders should avoid assuming that blocking only traditional XLS files—or only macro-enabled XLSM documents—will stop exploitation.
That distinction also matters for macro policy. Type confusion vulnerabilities arise when software processes data as the wrong kind of object, potentially corrupting memory or producing unsafe behavior. Because Microsoft has not said that VBA is required, disabling macros should not be treated as a complete mitigation for this CVE.
If exploitation succeeds, Microsoft’s scoring assigns high potential impact to confidentiality, integrity, and availability. Code would ordinarily execute with the victim’s permissions, making account privilege a decisive factor: a standard user limits immediate reach, while a user with local administrator rights could give the attacker substantially more control over the device.
Affected products include:
For MSI-based Excel 2016, Microsoft has released KB5002886. The update raises the relevant Excel 2016 version to the patched threshold and replaces the previously released KB5002865 update. Packages are available for both x86 and x64 editions through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
KB5002886 is not a one-CVE package. Microsoft says it resolves numerous Excel remote code execution and information-disclosure vulnerabilities from the July release, including CVE-2026-55024. That makes the update valuable beyond this individual flaw, but it also means organizations should perform their usual compatibility testing against Excel add-ins, templates, financial models, automation scripts, and line-of-business integrations.
The standalone KB5002886 package specifically targets MSI-based Excel 2016. It does not apply to Click-to-Run installations, including Microsoft 365 editions, which receive fixes through their Office servicing channel. Administrators should identify the installation technology before using the absence of KB5002886 as evidence that a machine remains vulnerable.
Office Online Server receives its fixes through KB5002884. Microsoft lists that package as resolving CVE-2026-55024 alongside multiple other Excel-related vulnerabilities, and the update replaces KB5002875.
That confidence should not be confused with detailed public exploit knowledge. Microsoft has not provided a proof of concept, a sample malicious workbook, crash analysis, or a technical account of the vulnerable parsing path. The National Vulnerability Database was still enriching the entry following its July 14 publication and had not supplied an independent NVD score.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation and assessed the flaw as non-automatable, while recognizing that successful exploitation could have total technical impact. That snapshot is useful for prioritization, but it is not a permanent assurance that attacks will not appear after researchers and threat actors compare patched and unpatched Excel binaries.
The CVSS score also explains why the issue is rated High rather than Critical. The attacker cannot exploit it without getting content onto the system and persuading the user to interact with it. Those barriers reduce the score, but they are hardly unusual in phishing-driven intrusions, where invoices, payroll spreadsheets, purchasing records, and financial reports provide credible lures.
Excel 2016 administrators should verify installation of KB5002886 or confirm that Excel is at version 16.0.5561.1001 or later. Mac fleets should check for version 16.111.26071215 or newer, while Office Online Server operators should verify version 16.0.10417.20175 or later after installing KB5002884.
Until deployment is complete, security teams should treat unsolicited spreadsheets as potentially hostile, preserve Microsoft Defender and Office Protected View controls, and avoid allowing users to bypass file warnings merely because a workbook contains no visible macros. Mail gateways and endpoint detection tools may reduce exposure, but Microsoft has not published enough file-level indicators to construct a CVE-specific blocking rule.
The practical deadline is therefore the organization’s next Office servicing window, not the arrival of a public exploit. CVE-2026-55024 is vendor-confirmed, broadly applicable, and already patched; the unresolved issue is how quickly each Office channel and manually maintained server can be brought to the corrected build.
Detailed in Microsoft’s July 14, 2026 security release, the vulnerability is a type confusion bug tracked as CWE-843. Microsoft describes it as Excel accessing a resource through an incompatible type, potentially allowing an unauthorized attacker to execute code in the context of the user running Excel.
Administrators should deploy the applicable July Office updates rather than relying solely on email filtering or user awareness. Microsoft has not disclosed public technical details sufficient to reproduce the vulnerability, but the vendor-confirmed CVE record establishes that the flaw exists, identifies the affected product families, and provides patched version boundaries.
“Remote” Still Requires a User to Open the Door
Despite its remote code execution classification, CVE-2026-55024 is not a network-reachable Excel service that an attacker can compromise simply by connecting to a Windows PC. Microsoft’s CVSS vector is AV:L/AC:L/PR:N/UI:R, meaning exploitation uses a local attack vector, requires no existing privileges, has low attack complexity, and depends on user interaction.The likely enterprise threat model is therefore a malicious workbook delivered through email, a collaboration platform, cloud storage, an instant message, or a download. Microsoft has not published the required file format, malformed object, or precise Excel feature involved, so defenders should avoid assuming that blocking only traditional XLS files—or only macro-enabled XLSM documents—will stop exploitation.
That distinction also matters for macro policy. Type confusion vulnerabilities arise when software processes data as the wrong kind of object, potentially corrupting memory or producing unsafe behavior. Because Microsoft has not said that VBA is required, disabling macros should not be treated as a complete mitigation for this CVE.
If exploitation succeeds, Microsoft’s scoring assigns high potential impact to confidentiality, integrity, and availability. Code would ordinarily execute with the victim’s permissions, making account privilege a decisive factor: a standard user limits immediate reach, while a user with local administrator rights could give the attacker substantially more control over the device.
The Affected List Extends Beyond Excel 2016
The Microsoft-authored CVE record identifies a broad mix of subscription, perpetual-license, Windows, Mac, and server products. Both 32-bit and 64-bit Windows installations are affected where those architectures are offered.Affected products include:
- Microsoft 365 Apps for Enterprise requires the relevant Office security release for its configured update channel.
- Microsoft Excel 2016 installations earlier than version 16.0.5561.1001 are affected.
- Microsoft Office 2019 is affected and must receive its applicable Office security update.
- Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
- Microsoft 365 and Office LTSC editions on Mac must be updated to version 16.111.26071215 or later.
- Office Online Server installations earlier than version 16.0.10417.20175 are affected.
For MSI-based Excel 2016, Microsoft has released KB5002886. The update raises the relevant Excel 2016 version to the patched threshold and replaces the previously released KB5002865 update. Packages are available for both x86 and x64 editions through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
KB5002886 is not a one-CVE package. Microsoft says it resolves numerous Excel remote code execution and information-disclosure vulnerabilities from the July release, including CVE-2026-55024. That makes the update valuable beyond this individual flaw, but it also means organizations should perform their usual compatibility testing against Excel add-ins, templates, financial models, automation scripts, and line-of-business integrations.
The standalone KB5002886 package specifically targets MSI-based Excel 2016. It does not apply to Click-to-Run installations, including Microsoft 365 editions, which receive fixes through their Office servicing channel. Administrators should identify the installation technology before using the absence of KB5002886 as evidence that a machine remains vulnerable.
Office Online Server receives its fixes through KB5002884. Microsoft lists that package as resolving CVE-2026-55024 alongside multiple other Excel-related vulnerabilities, and the update replaces KB5002875.
Vendor Confirmation Raises Confidence, Not Exploitability
The available evidence supports high confidence that CVE-2026-55024 is a real vulnerability. Microsoft is both the assigning authority and the affected vendor, has classified the weakness, supplied a CVSS vector, named affected products, and shipped corresponding security updates.That confidence should not be confused with detailed public exploit knowledge. Microsoft has not provided a proof of concept, a sample malicious workbook, crash analysis, or a technical account of the vulnerable parsing path. The National Vulnerability Database was still enriching the entry following its July 14 publication and had not supplied an independent NVD score.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation and assessed the flaw as non-automatable, while recognizing that successful exploitation could have total technical impact. That snapshot is useful for prioritization, but it is not a permanent assurance that attacks will not appear after researchers and threat actors compare patched and unpatched Excel binaries.
The CVSS score also explains why the issue is rated High rather than Critical. The attacker cannot exploit it without getting content onto the system and persuading the user to interact with it. Those barriers reduce the score, but they are hardly unusual in phishing-driven intrusions, where invoices, payroll spreadsheets, purchasing records, and financial reports provide credible lures.
Patch Validation Matters More Than Workbook Guesswork
For Microsoft 365 Apps, administrators should confirm that devices have received a July 2026 build containing the Office security fixes for their channel. A device can report that Office is generally up to date while still lagging because of deferred update policies, paused deployments, stale management check-ins, or a channel whose security build has not reached the endpoint.Excel 2016 administrators should verify installation of KB5002886 or confirm that Excel is at version 16.0.5561.1001 or later. Mac fleets should check for version 16.111.26071215 or newer, while Office Online Server operators should verify version 16.0.10417.20175 or later after installing KB5002884.
Until deployment is complete, security teams should treat unsolicited spreadsheets as potentially hostile, preserve Microsoft Defender and Office Protected View controls, and avoid allowing users to bypass file warnings merely because a workbook contains no visible macros. Mail gateways and endpoint detection tools may reduce exposure, but Microsoft has not published enough file-level indicators to construct a CVE-specific blocking rule.
The practical deadline is therefore the organization’s next Office servicing window, not the arrival of a public exploit. CVE-2026-55024 is vendor-confirmed, broadly applicable, and already patched; the unresolved issue is how quickly each Office channel and manually maintained server can be brought to the corrected build.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: techradar.com
An ancient Microsoft Excel security flaw could let hackers hijack your entire system, so patch now | TechRadar
CISA is warning about ongoing exploitation of a 2008 bugwww.techradar.com