CVE-2026-55036: Patch Excel RCE in July 14 Office Updates

CVE-2026-55036 is a newly patched Microsoft Excel remote code execution vulnerability that can let an attacker run code after a user opens malicious content. Microsoft released fixes on July 14, 2026, covering Microsoft 365 Apps, Office 2019, Office LTSC 2021 and 2024, Excel 2016, Office for Mac, and Office Online Server.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the flaw carries a CVSS 3.1 base score of 7.8, rated High. Administrators should prioritize the July Office updates on endpoints that routinely handle spreadsheets received through email, collaboration platforms, customer portals, and other untrusted sources.
The available evidence does not indicate active exploitation. CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment records no known exploitation and says the attack is not readily automatable, although successful exploitation could have a total technical impact on the affected system.

A cybersecurity shield blocks a malware attack spreading across computers, servers, and memory modules.“Remote Code Execution” Still Requires a Local Trigger​

Microsoft describes CVE-2026-55036 as a buffer over-read in Microsoft Office Excel. The associated weakness is CWE-126, which covers software reading beyond the end or beginning of an intended memory buffer.
That condition can expose adjacent memory, crash an application, or become part of a path to code execution, depending on the vulnerable parser and an attacker’s control over the surrounding data. Microsoft has not publicly documented the precise Excel file structure, record type, or parsing component involved, limiting defenders’ ability to identify a reliable file-level signature.
Despite the advisory’s remote code execution title, the CVSS vector classifies the attack as local: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, an attacker does not need existing privileges, and the attack complexity is rated low, but exploitation requires user interaction.
That distinction matters when triaging the vulnerability. This is not described as a wormable network service flaw that can be triggered merely by reaching a Windows PC over the internet. The more plausible threat model is a weaponized workbook or other Excel-readable content delivered to a target and opened or otherwise processed in a vulnerable Office environment.
Remote code execution remains an appropriate impact description because the person preparing and delivering the malicious document can be elsewhere. However, the vulnerability’s immediate execution context is the local machine running Excel, not an exposed network listener.
If exploitation succeeds, the attacker could potentially gain the confidentiality, integrity, and availability impact represented by the CVSS vector. The actual level of access would ordinarily be constrained by the privileges of the user or service processing the file, making standard-user operation and application containment valuable secondary defenses.

The Affected Footprint Extends Beyond Excel 2016​

The vulnerability is not confined to one perpetual Office release. Microsoft’s affected-product data identifies both 32-bit and 64-bit Windows editions where applicable, along with current and long-term servicing products.
Affected software includes:
  • Microsoft 365 Apps for enterprise is affected on 32-bit and 64-bit Windows systems until the relevant Office security release is installed.
  • Microsoft Excel 2016 is affected before version 16.0.5561.1001 on both 32-bit and 64-bit systems.
  • Microsoft Office 2019 is affected on supported 32-bit and 64-bit installations.
  • Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
  • Microsoft 365 and Office 365 for Mac are affected before version 16.111.26071215.
  • Office LTSC for Mac 2021 and 2024 are affected before version 16.111.26071215.
  • Office Online Server is affected before version 16.0.10417.20175.
This spread makes inventory accuracy more important than checking only for desktop Excel installations. Office Online Server deserves separate attention because it can process documents centrally, while Mac systems may fall outside Windows-focused patch dashboards even though the vulnerability affects their Office builds.
Microsoft’s July 2026 Office release also contains numerous other Excel security fixes. For MSI-based Excel 2016 deployments, KB5002886 resolves CVE-2026-55036 alongside a larger collection of Excel remote code execution and information disclosure vulnerabilities. The package replaces KB5002865 and is available through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
Microsoft notes that KB5002886 applies to the MSI-based edition of Excel 2016, not Click-to-Run products such as Microsoft 365. Click-to-Run administrators should therefore verify channel-specific Office build compliance rather than assuming the presence or absence of the standalone KB tells the whole story.
Office Online Server receives its fixes through KB5002884, which replaces KB5002875. Microsoft lists CVE-2026-55036 among the Excel vulnerabilities addressed by that server update.

Sparse Technical Detail Raises the Value of Basic Controls​

The existence of CVE-2026-55036 is vendor-confirmed, and Microsoft has supplied a weakness classification, severity score, affected-product list, and patches. That gives defenders high confidence that the vulnerability is real even though the public technical description remains narrow.
There is currently no public explanation of the malformed input required to trigger the buffer over-read. Microsoft has also not published a proof of concept, exploit chain, or detailed workaround specific to the flaw. The National Vulnerability Database was still enriching its record on July 15, one day after publication, and had not produced an independent CVSS assessment.
That leaves patching as the strongest direct control. Where immediate deployment is not possible, organizations should reduce exposure by treating unsolicited spreadsheets as potentially hostile, keeping Microsoft Defender protections and email scanning enabled, and avoiding broad exceptions that allow Office documents to bypass Mark of the Web or Protected View.
Security teams should also review places where spreadsheets are processed outside an employee’s visible desktop session. Automated reporting services, add-ins, line-of-business applications, preview systems, and document-conversion workflows may invoke Office components in ways that are easy to miss during endpoint-only testing.
Protected View and file-origin warnings can make user-assisted exploitation harder, but they are not substitutes for correcting the vulnerable parser. Attackers regularly use convincing business pretexts—purchase orders, invoices, payroll records, financial forecasts, and shipping notices—to persuade users to leave protected modes or trust downloaded content.
The absence of known exploitation should similarly not be read as evidence that exploitation is impossible. CVE-2026-55036 has low attack complexity and requires no prior privileges according to Microsoft’s CVSS vector, while the limited public detail currently works in defenders’ favor by withholding a ready technical blueprint from would-be attackers.

Patch Validation Matters More Than the KB Number​

For managed Microsoft 365 Apps environments, administrators should use their Office update reporting, Microsoft Intune, Configuration Manager, or equivalent tooling to confirm that devices have moved to patched builds for their assigned servicing channel. A device can report healthy Windows cumulative-update compliance while retaining an outdated Click-to-Run Office build.
Excel 2016 administrators should confirm that EXCEL.EXE and associated Office components reflect the files installed by KB5002886, with version 16.0.5561.1001 serving as the published affected-version boundary for this CVE. Both x86 and x64 packages are available, so deployment rules must match the installed Office architecture rather than the architecture of Windows itself.
Mac administrators should verify that Office has reached version 16.111.26071215 or later. Office Online Server operators should check for version 16.0.10417.20175 or later after deploying KB5002884 and completing any required farm update procedures.
CVE-2026-55036 is not currently characterized as an exploited zero-day, but its broad Office footprint and code-execution impact make it unsuitable for an extended patch deferral. The next meaningful signal will be whether Microsoft revises its advisory, security researchers publish file-format details, or CISA changes the exploitation status; until then, the concrete action is to deploy the July 14 Office fixes and verify the resulting build on every platform that processes Excel content.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: techradar.com
 

Back
Top