CVE-2026-55029 is a high-severity Microsoft Excel vulnerability that can let an attacker’s code run on a victim’s computer, even though its CVSS vector classifies the attack path as local. The apparent contradiction comes from two different uses of the word remote: Microsoft’s title describes where the attacker may be located, while CVSS describes how exploitation reaches the vulnerable Excel component.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security updates. Detailed in the Microsoft Security Response Center advisory, the flaw is a heap-based buffer overflow tracked as CWE-122 and carries a CVSS 3.1 score of 7.8, with the vector
The practical scenario is familiar to Office administrators: an attacker sends or otherwise supplies a specially crafted workbook, and the recipient opens it in Excel. The file may have arrived remotely through email, Microsoft Teams, a download, cloud storage, or another distribution channel, but the vulnerable parsing operation occurs when Excel processes it on the local device.
Microsoft uses remote code execution, or RCE, to describe vulnerabilities through which a remotely located attacker can cause arbitrary code to run on another person’s system. The term does not necessarily mean the vulnerable application exposes a listening network service or can be compromised directly over the internet.
In CVE-2026-55029, the attacker does not appear to send packets directly to an Excel network service. Instead, the attacker must persuade a user to bring attacker-controlled content into Excel’s local execution context. That distinction explains the
Microsoft addresses the terminology directly in its advisory. The company says “Remote” in the title refers to the attacker’s location and notes that this class of issue is also described as arbitrary code execution, or ACE. The exploit itself is carried out locally because the victim or attacker must cause code or content to be processed on the affected machine.
The title therefore communicates the potential security impact, while the CVSS attack-vector field communicates the immediate route used to trigger the vulnerable component. Both descriptions can be accurate at the same time.
The rest of Microsoft’s vector provides a clearer picture:
The distinction also prevents administrators from interpreting “RCE” as automatically meaning a wormable or unauthenticated network exploit. CVE-2026-55029 is serious because successful exploitation could grant code execution in the victim’s context, but it is not scored as an attack that directly traverses the network stack into Excel without user involvement.
A carefully constructed workbook may be able to corrupt adjacent memory while Excel is parsing its contents. In a successful exploit, that corruption can redirect program behavior and allow attacker-controlled instructions to execute rather than merely crashing the application.
Code would generally run with the permissions available to the affected user. That makes account privilege boundaries important: a standard user limits some immediate damage, while a user operating with administrative rights can expose substantially more of the machine.
The CVSS impacts are nevertheless rated high across confidentiality, integrity, and availability. An exploit could potentially read accessible information, alter files or settings, install additional payloads, or disrupt the system. Microsoft rated the vulnerability Important rather than Critical, reflecting the required local processing and user interaction rather than a lack of serious consequences after exploitation.
At publication, the Zero Day Initiative’s July 2026 security-update review listed CVE-2026-55029 as neither publicly disclosed nor known to be exploited. CISA’s initial vulnerability assessment likewise recorded no observed exploitation, although that status can change as researchers analyze the update and attackers compare patched and unpatched Excel builds.
For Excel 2016, the July 14 security release is delivered through KB5002886, with affected builds below 16.0.5561.1001 identified in the CVE record. Microsoft’s Mac product data points to version 16.111.26071215 as the corrected boundary, while Office Online Server installations should be brought to at least 16.0.10417.20175.
Microsoft 365 Apps and newer Office editions use their respective servicing channels, so administrators should verify that devices have received the July 2026 Office security release rather than looking for one universal KB number. Managed environments should also check devices that defer Microsoft 365 Apps updates or remain pinned to older enterprise channels.
Office Online Server deserves separate attention because it is a server deployment and may not follow the same update workflow as desktop Office clients. Its inclusion does not transform the CVSS vector into a network attack; it indicates that the vulnerable Excel-related code is present in another supported Microsoft product and requires its corresponding update.
Administrators should prioritize the July 14, 2026 Office updates, confirm that supported Mac and Windows installations have advanced to fixed builds, and review Office Online Server separately. Organizations that cannot update immediately should strengthen controls around untrusted workbooks and discourage users from bypassing warnings to open unexpected files.
The key reading is straightforward: CVE-2026-55029 is remote in attacker origin and code-execution impact, but local in the CVSS exploitation path. An attacker can deliver the weaponized content from afar, while the decisive step occurs when the target machine runs Excel and processes that content locally.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly security updates. Detailed in the Microsoft Security Response Center advisory, the flaw is a heap-based buffer overflow tracked as CWE-122 and carries a CVSS 3.1 score of 7.8, with the vector
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.The practical scenario is familiar to Office administrators: an attacker sends or otherwise supplies a specially crafted workbook, and the recipient opens it in Excel. The file may have arrived remotely through email, Microsoft Teams, a download, cloud storage, or another distribution channel, but the vulnerable parsing operation occurs when Excel processes it on the local device.
“Remote Code Execution” Describes the Outcome
Microsoft uses remote code execution, or RCE, to describe vulnerabilities through which a remotely located attacker can cause arbitrary code to run on another person’s system. The term does not necessarily mean the vulnerable application exposes a listening network service or can be compromised directly over the internet.In CVE-2026-55029, the attacker does not appear to send packets directly to an Excel network service. Instead, the attacker must persuade a user to bring attacker-controlled content into Excel’s local execution context. That distinction explains the
AV:L metric.Microsoft addresses the terminology directly in its advisory. The company says “Remote” in the title refers to the attacker’s location and notes that this class of issue is also described as arbitrary code execution, or ACE. The exploit itself is carried out locally because the victim or attacker must cause code or content to be processed on the affected machine.
The title therefore communicates the potential security impact, while the CVSS attack-vector field communicates the immediate route used to trigger the vulnerable component. Both descriptions can be accurate at the same time.
CVSS Treats the Malicious Workbook as a Local Input
TheAV:L component does not mean an attacker must already have an interactive account, Remote Desktop session, or physical access to the computer. It means exploitation occurs through a local action or locally processed object rather than by communicating directly with the vulnerable component across a network boundary.The rest of Microsoft’s vector provides a clearer picture:
- Attack complexity is low, indicating that exploitation does not depend on unusual environmental conditions.
- No privileges are required before the malicious content reaches the victim.
- User interaction is required, consistent with a recipient opening or otherwise processing attacker-supplied content.
- A successful attack can have high confidentiality, integrity, and availability impact.
AV:L, PR:N, and UI:R — is common among document-based Office vulnerabilities. The attacker can be on the other side of the world and require no account on the target system, yet exploitation is still scored as local because Excel must process the crafted file on the endpoint.The distinction also prevents administrators from interpreting “RCE” as automatically meaning a wormable or unauthenticated network exploit. CVE-2026-55029 is serious because successful exploitation could grant code execution in the victim’s context, but it is not scored as an attack that directly traverses the network stack into Excel without user involvement.
A Heap Overflow Turns Data Into Execution
Microsoft describes CVE-2026-55029 as a heap-based buffer overflow in Microsoft Office Excel. This class of memory-safety defect occurs when an application writes more data into a heap allocation than the allocated area can safely contain.A carefully constructed workbook may be able to corrupt adjacent memory while Excel is parsing its contents. In a successful exploit, that corruption can redirect program behavior and allow attacker-controlled instructions to execute rather than merely crashing the application.
Code would generally run with the permissions available to the affected user. That makes account privilege boundaries important: a standard user limits some immediate damage, while a user operating with administrative rights can expose substantially more of the machine.
The CVSS impacts are nevertheless rated high across confidentiality, integrity, and availability. An exploit could potentially read accessible information, alter files or settings, install additional payloads, or disrupt the system. Microsoft rated the vulnerability Important rather than Critical, reflecting the required local processing and user interaction rather than a lack of serious consequences after exploitation.
At publication, the Zero Day Initiative’s July 2026 security-update review listed CVE-2026-55029 as neither publicly disclosed nor known to be exploited. CISA’s initial vulnerability assessment likewise recorded no observed exploitation, although that status can change as researchers analyze the update and attackers compare patched and unpatched Excel builds.
The Fix Reaches Windows, Mac, and Office Online Server
Microsoft’s affected-product data spans more than the perpetual Windows edition of Excel. Listed products include Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office 365 for Mac, Office LTSC for Mac 2021 and 2024, and Office Online Server.For Excel 2016, the July 14 security release is delivered through KB5002886, with affected builds below 16.0.5561.1001 identified in the CVE record. Microsoft’s Mac product data points to version 16.111.26071215 as the corrected boundary, while Office Online Server installations should be brought to at least 16.0.10417.20175.
Microsoft 365 Apps and newer Office editions use their respective servicing channels, so administrators should verify that devices have received the July 2026 Office security release rather than looking for one universal KB number. Managed environments should also check devices that defer Microsoft 365 Apps updates or remain pinned to older enterprise channels.
Office Online Server deserves separate attention because it is a server deployment and may not follow the same update workflow as desktop Office clients. Its inclusion does not transform the CVSS vector into a network attack; it indicates that the vulnerable Excel-related code is present in another supported Microsoft product and requires its corresponding update.
Patch Management Matters More Than the Naming Quirk
The title-versus-vector distinction changes how defenders should model the initial attack, but it does not reduce the need to patch. Email filtering, Microsoft Defender protections, attachment sandboxing, Protected View, and Mark of the Web controls can interfere with malicious-document delivery, yet they are defense-in-depth measures rather than replacements for correcting the underlying memory flaw.Administrators should prioritize the July 14, 2026 Office updates, confirm that supported Mac and Windows installations have advanced to fixed builds, and review Office Online Server separately. Organizations that cannot update immediately should strengthen controls around untrusted workbooks and discourage users from bypassing warnings to open unexpected files.
The key reading is straightforward: CVE-2026-55029 is remote in attacker origin and code-execution impact, but local in the CVSS exploitation path. An attacker can deliver the weaponized content from afar, while the decisive step occurs when the target machine runs Excel and processes that content locally.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: June 9, 2026 (KB5002877) | Microsoft Support
Description of the security update for Excel 2016: June 9, 2026 (KB5002877)support.microsoft.com - Related coverage: techradar.com
An ancient Microsoft Excel security flaw could let hackers hijack your entire system, so patch now | TechRadar
CISA is warning about ongoing exploitation of a 2008 bugwww.techradar.com