CVE-2026-55041 is a high-severity Microsoft Excel vulnerability that can let an attacker run arbitrary code after a crafted file is processed on the target device. Microsoft calls it a “Remote Code Execution Vulnerability,” even though its CVSS 3.1 vector begins with
Published through the Microsoft Security Response Center on July 14, 2026, the flaw carries a CVSS base score of 7.8. Microsoft describes it as a heap-based buffer overflow, tracked under CWE-122, affecting supported editions of Excel, Microsoft 365 Apps, Office LTSC, Office 2019, Office for Mac, and Office Online Server.
Microsoft’s advisory directly addresses the apparently contradictory terminology: “Remote” refers to the attacker’s location, while exploitation itself takes place locally. The company notes that this class of issue is also commonly described as arbitrary code execution, or ACE.
In everyday security language, “remote code execution” often suggests an attacker sending network traffic directly to a listening service. That is only one form of RCE.
For CVE-2026-55041, Excel is not being characterized as a remotely accessible network service. Instead, an attacker can be somewhere else and supply malicious content that eventually reaches Excel. The vulnerable code then runs on the victim’s computer when Excel locally parses or processes that content.
This produces two different but compatible descriptions:
CVSS’s
That distinction is important when comparing CVE-2026-55041 with a vulnerability in Remote Desktop Services, an HTTP server, or another component listening for network connections. Those flaws may qualify for
The final three metrics are all High. Microsoft assesses that successful exploitation could seriously affect confidentiality, integrity, and availability. In practical terms, code running as the user could potentially access that user’s files, alter data, install additional payloads where permissions allow, or disrupt application and system availability.
Scope is Unchanged, represented by
A simple buffer overflow may only crash an application. A carefully engineered overflow can sometimes redirect program execution or corrupt objects and control data in a way that gives an attacker influence over what the application does next. Microsoft’s RCE classification indicates that the security consequence extends to possible code execution rather than denial of service alone.
The code would ordinarily execute with the rights of the account running Excel. On a standard-user workstation, that limits the immediate privileges available to the payload but still exposes the user’s documents, mapped drives, browser-accessible data, and other resources available in that session. On systems where users routinely operate with administrative rights, the potential consequence is considerably broader.
Security controls such as Protected View, Mark of the Web handling, endpoint detection, attachment filtering, and least-privilege accounts can interrupt or reduce parts of a document-based attack chain. They are not substitutes for correcting the vulnerable Excel code, particularly when files move through trusted collaboration systems or lose their original Internet-origin metadata.
For Excel 2016, affected builds are those earlier than 16.0.5561.1001. Microsoft’s July 2026 Office update catalog identifies KB5002886 as the July 14 security update for Excel 2016.
Affected Mac installations should be updated to version 16.111.26071215 or later. Office Online Server should be brought to build 16.0.10417.20175 or later, according to the version information supplied in Microsoft’s CVE record.
Microsoft 365 Apps and supported perpetual Office editions use different servicing mechanisms and release channels, so administrators should not expect one universal KB number or build across every deployment. Managed environments should verify update compliance through their Microsoft 365 Apps management, Configuration Manager, Intune, update-management, or software-inventory tooling rather than assuming Windows Update alone covered every Office installation.
The National Vulnerability Database was still awaiting its own enrichment shortly after publication, but it reproduced Microsoft’s 7.8 score and product information. CISA’s initial SSVC data recorded no known exploitation at that point and characterized automated exploitation as unavailable, though those assessments can change as research or attack activity emerges.
The immediate action is straightforward: deploy the July 14, 2026 Office security updates and confirm the resulting Excel, Office for Mac, and Office Online Server builds. The
AV:L, because the title describes who can ultimately cause code execution, while the Attack Vector metric describes where the vulnerable Excel processing occurs.Published through the Microsoft Security Response Center on July 14, 2026, the flaw carries a CVSS base score of 7.8. Microsoft describes it as a heap-based buffer overflow, tracked under CWE-122, affecting supported editions of Excel, Microsoft 365 Apps, Office LTSC, Office 2019, Office for Mac, and Office Online Server.
Microsoft’s advisory directly addresses the apparently contradictory terminology: “Remote” refers to the attacker’s location, while exploitation itself takes place locally. The company notes that this class of issue is also commonly described as arbitrary code execution, or ACE.
Remote Code Execution Does Not Require a Network Vector
In everyday security language, “remote code execution” often suggests an attacker sending network traffic directly to a listening service. That is only one form of RCE.For CVE-2026-55041, Excel is not being characterized as a remotely accessible network service. Instead, an attacker can be somewhere else and supply malicious content that eventually reaches Excel. The vulnerable code then runs on the victim’s computer when Excel locally parses or processes that content.
This produces two different but compatible descriptions:
- The attacker may be remote from the targeted computer.
- The malicious workbook or related content must be processed locally by the vulnerable application.
- Successful exploitation can result in attacker-controlled code running in the victim’s security context.
CVSS’s
AV:L value answers a narrower question: how close must the attack activity get to the vulnerable component before exploitation can occur? Because the flaw is triggered through local Excel processing rather than a network protocol exposed by Excel, Microsoft scores the Attack Vector as Local.That distinction is important when comparing CVE-2026-55041 with a vulnerability in Remote Desktop Services, an HTTP server, or another component listening for network connections. Those flaws may qualify for
AV:N because an attacker can directly reach the vulnerable component across a network. A malicious Office document typically crosses a separate delivery boundary before the desktop application encounters the defective parser.The CVSS Vector Shows the Expected Attack Chain
Microsoft assigned CVE-2026-55041 the vectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Each value fills in part of the attack model that the RCE title cannot express by itself.AV:L means exploitation occurs through a local access path. It does not necessarily mean the attacker must already have an interactive account, sit at the keyboard, or log on through Remote Desktop.AC:L indicates low attack complexity. Microsoft is not identifying specialized conditions outside the attacker’s control that would make exploitation unusually difficult or unreliable.PR:N means the attacker does not need privileges on the target system before attempting the attack. This is another reason “local” should not be interpreted as “the attacker must already be logged in.” CVSS treats privileges and attack vector as separate properties.UI:R is the metric that captures the victim-dependent step. A user or user-initiated process must participate before exploitation succeeds. In a conventional Office attack scenario, that could involve opening or otherwise processing attacker-supplied content, although Microsoft’s public description does not provide a detailed proof-of-concept attack sequence.The final three metrics are all High. Microsoft assesses that successful exploitation could seriously affect confidentiality, integrity, and availability. In practical terms, code running as the user could potentially access that user’s files, alter data, install additional payloads where permissions allow, or disrupt application and system availability.
Scope is Unchanged, represented by
S:U, because Microsoft scores the vulnerable and affected resources as remaining under the same security authority. That does not make the outcome harmless; it primarily affects how CVSS calculates the final score.A Buffer Overflow Turns Workbook Processing Into Code Execution
The underlying weakness is a heap-based buffer overflow in Microsoft Office Excel. This class of vulnerability occurs when software writes more data into a heap memory region than the allocated buffer can hold, potentially corrupting adjacent memory.A simple buffer overflow may only crash an application. A carefully engineered overflow can sometimes redirect program execution or corrupt objects and control data in a way that gives an attacker influence over what the application does next. Microsoft’s RCE classification indicates that the security consequence extends to possible code execution rather than denial of service alone.
The code would ordinarily execute with the rights of the account running Excel. On a standard-user workstation, that limits the immediate privileges available to the payload but still exposes the user’s documents, mapped drives, browser-accessible data, and other resources available in that session. On systems where users routinely operate with administrative rights, the potential consequence is considerably broader.
Security controls such as Protected View, Mark of the Web handling, endpoint detection, attachment filtering, and least-privilege accounts can interrupt or reduce parts of a document-based attack chain. They are not substitutes for correcting the vulnerable Excel code, particularly when files move through trusted collaboration systems or lose their original Internet-origin metadata.
Microsoft’s July Updates Cover Windows, Mac, and Server Editions
The CVE record lists Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 among the affected Windows products. Microsoft also identifies Microsoft 365 for Mac, Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Office Online Server.For Excel 2016, affected builds are those earlier than 16.0.5561.1001. Microsoft’s July 2026 Office update catalog identifies KB5002886 as the July 14 security update for Excel 2016.
Affected Mac installations should be updated to version 16.111.26071215 or later. Office Online Server should be brought to build 16.0.10417.20175 or later, according to the version information supplied in Microsoft’s CVE record.
Microsoft 365 Apps and supported perpetual Office editions use different servicing mechanisms and release channels, so administrators should not expect one universal KB number or build across every deployment. Managed environments should verify update compliance through their Microsoft 365 Apps management, Configuration Manager, Intune, update-management, or software-inventory tooling rather than assuming Windows Update alone covered every Office installation.
The National Vulnerability Database was still awaiting its own enrichment shortly after publication, but it reproduced Microsoft’s 7.8 score and product information. CISA’s initial SSVC data recorded no known exploitation at that point and characterized automated exploitation as unavailable, though those assessments can change as research or attack activity emerges.
The immediate action is straightforward: deploy the July 14, 2026 Office security updates and confirm the resulting Excel, Office for Mac, and Office Online Server builds. The
AV:L score should influence how defenders understand the delivery chain, but it should not be mistaken for a requirement that the attacker already possess local access—or as a reason to discount an Excel flaw capable of executing code.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: June 9, 2026 (KB5002877) | Microsoft Support
Description of the security update for Excel 2016: June 9, 2026 (KB5002877)support.microsoft.com - Related coverage: www2.gov.bc.ca
- Related coverage: techradar.com
This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data | TechRadar
There's more than one way to skin an Excel tablewww.techradar.com