CVE-2026-55046: Patch Excel Data Disclosure With KB5002886

Microsoft has patched CVE-2026-55046, an Important-rated information disclosure vulnerability in Microsoft Excel, through its July 14, 2026 Office security updates. The flaw can expose sensitive data when a user interacts with malicious content, making prompt deployment advisable on Windows, macOS, and Office Online Server systems.
Detailed in Microsoft’s Security Response Center advisory, CVE-2026-55046 is an out-of-bounds read vulnerability tracked as CWE-125. Microsoft assigned it a CVSS 3.1 base score of 5.5, with the vector indicating local attack access, low attack complexity, no prior privileges, required user interaction, and a potentially high confidentiality impact.
The National Vulnerability Database had not completed its independent enrichment as of July 15, but its record reproduces Microsoft’s technical description and affected-product data. The Zero Day Initiative and SANS Internet Storm Center both reported that the vulnerability was neither publicly disclosed nor known to be exploited when Microsoft released the patch.

Cybersecurity illustration showing a malicious workbook blocked by shields, memory protection, and data-leak prevention.A Malicious Workbook Still Needs a User​

CVE-2026-55046 does not give an unauthenticated attacker a direct network route into Excel. Microsoft’s CVSS vector classifies the attack vector as local and requires user interaction, meaning an attacker would generally need to persuade a target to open or otherwise process crafted content.
That distinction lowers the likelihood of automatic, worm-like exploitation, but it does not make the vulnerability harmless. Spreadsheet attachments remain common in phishing, invoicing, payroll, procurement, and financial-reporting workflows. A malicious workbook can therefore arrive in a format that users already expect to receive and review.
An out-of-bounds read occurs when software reads beyond the intended boundary of a memory buffer. Depending on what resides in nearby memory, the application may return information that should not have been available to the document or the person who supplied it.
Microsoft’s scoring gives CVE-2026-55046 a high confidentiality impact while recording no direct integrity or availability impact. In practical terms, this CVE is about unauthorized data exposure rather than changing files, executing arbitrary code, or crashing the system.
The public advisory does not identify exactly what information could be recovered, how reliably an attacker could control the disclosure, or which workbook feature triggers the faulty read. Administrators should avoid assuming that the flaw exposes a particular category of data until Microsoft or the vulnerability’s finder publishes additional technical analysis.

The Patch Reaches Beyond Excel 2016​

The affected-product list spans subscription, perpetual-license, Mac, and server-side Office deployments. Microsoft identifies the following product families as vulnerable:
  • Microsoft 365 Apps for Enterprise is affected on both 32-bit and 64-bit Windows systems.
  • Microsoft Excel 2016 is affected on both 32-bit and 64-bit Windows systems.
  • Microsoft Office 2019 is affected on both 32-bit and 64-bit Windows systems.
  • Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
  • Microsoft 365 and Office LTSC editions for Mac are affected.
  • Office Online Server is affected because it includes server-side Excel processing components.
For MSI-based Excel 2016 installations, the relevant July security package is KB5002886. Microsoft’s affected-version data indicates that Excel 2016 builds earlier than 16.0.5561.1001 remain vulnerable.
Office Online Server administrators need KB5002884, which updates affected deployments to version 16.0.10417.20175. This is particularly important because Office Online Server can process spreadsheets on behalf of users, so remediation should not stop after desktop inventory reports show that Excel clients have been updated.
On macOS, Microsoft lists versions earlier than 16.111.26071215 as affected across Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024. Mac fleets should therefore verify the installed application build instead of treating this as a Windows-only Patch Tuesday issue.
Microsoft 365 Apps and supported perpetual Office editions delivered through Click-to-Run should receive fixes through their configured update channels. Organizations using deferred enterprise channels will need to confirm that the approved build actually contains the July security release; the presence of an operational Office update policy does not prove that every endpoint has received the corrected Excel binaries.

The Exploit-Maturity Language Needs Careful Reading​

The metric description accompanying the advisory explains how confidence in a vulnerability’s existence and technical details affects urgency. That text is a generic description of exploit maturity, not evidence that attackers possess a working exploit for CVE-2026-55046.
The available reporting points in the opposite direction. The Zero Day Initiative’s July update table marks the vulnerability as neither publicly known nor exploited, while SANS Internet Storm Center lists the same status. No public proof-of-concept or confirmed attack campaign was identified at publication time.
That means CVE-2026-55046 should not be called a zero-day. It was disclosed alongside a vendor fix on July 14, 2026, and the available evidence does not indicate that exploitation preceded the update.
The absence of exploitation is still a snapshot, not a permanent guarantee. Once a patch is available, researchers and attackers can compare vulnerable and corrected binaries to identify the relevant code change. The limited technical detail in the advisory may delay that work, but it cannot prevent it.
Microsoft’s “Important” classification and CVSS score of 5.5 should also be read in context. The score is moderated by the local attack vector and requirement for user action, while the confidentiality consequence remains high. For organizations handling payroll data, financial models, customer records, acquisition plans, or regulated information in Excel, the business impact of a successful disclosure could exceed what a medium numerical score initially suggests.

Patch Excel, Then Check the Servers​

For most managed environments, remediation can follow the normal Office deployment process rather than requiring emergency isolation. Administrators should nevertheless confirm coverage across every Office servicing model represented in the organization.
Inventory queries should distinguish Microsoft 365 Apps, Office LTSC, Office 2019, MSI-based Excel 2016, Mac installations, and Office Online Server. Vulnerability scanners may detect the desktop packages while overlooking a separately maintained Office Online Server farm or a Mac population managed through different tooling.
Email and endpoint controls remain useful while updates propagate. Protected View, attachment sandboxing, Mark of the Web enforcement, Microsoft Defender for Office 365 policies, and user warnings around unexpected spreadsheets all reduce exposure, but none should be treated as a substitute for installing the corrected Excel build.
Teams running Excel add-ins, financial modeling extensions, or line-of-business integrations may reasonably perform compatibility testing before broad deployment. The test window should remain short, however, because KB5002886 and the associated Click-to-Run releases address a larger collection of July 2026 Excel vulnerabilities, including information disclosure and remote code execution flaws beyond CVE-2026-55046.
The immediate milestone is straightforward: Windows administrators should verify KB5002886 or the applicable updated Office build, Mac administrators should confirm version 16.111.26071215 or later, and Office Online Server operators should deploy KB5002884 and verify build 16.0.10417.20175. Until those versions are present, crafted spreadsheet content retains a documented route to reading information outside Excel’s intended memory boundaries.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top