CVE-2026-55048: Patch Excel RCE Despite AV:L Local Rating

Microsoft’s CVE-2026-55048 advisory classifies an Excel flaw as a remote code execution vulnerability even though its CVSS vector begins with AV:L, or Attack Vector: Local. The terms describe different parts of the attack: “remote code execution” identifies the attacker’s relationship to the targeted computer, while AV:L describes where the vulnerable Excel processing must occur.
Published on July 14, 2026, the Microsoft Security Response Center advisory rates CVE-2026-55048 as Important with a CVSS 3.1 base score of 7.8. Microsoft describes an integer overflow or wraparound in Excel that can allow an unauthorized attacker to execute code locally, but exploitation requires a user to interact with attacker-controlled content.
That combination is not a contradiction. It is a common source of confusion in Microsoft Office advisories, where an attacker can deliver a malicious document from elsewhere but must persuade the victim to open or otherwise process it on the local machine.

Cybersecurity illustration showing a remote attacker targeting local Excel processing, with a high-severity warning.“Remote” Describes the Attacker, Not the Packet Path​

In the vulnerability title, remote code execution means that the attacker does not initially need an account, interactive desktop session, or physical presence on the affected computer. The attacker can prepare malicious content remotely and send it to the intended victim through email, a messaging platform, cloud storage, a download site, or another delivery channel.
The actual vulnerability is triggered only after Excel processes that content on the victim’s device. That is why Microsoft assigns AV:L: the vulnerable operation takes place in a locally running application rather than through a network-reachable Excel service that accepts unsolicited requests.
Microsoft addresses this distinction directly in its Security Update Guide. The company says “remote” refers to the attacker’s location and notes that this class of flaw is sometimes called arbitrary code execution, or ACE. The exploit itself is carried out locally because either the attacker or the victim must cause code or malicious content to run from the target machine.
A typical attack sequence would therefore look like this:
  1. An attacker creates a specially crafted Excel file designed to trigger the integer-overflow condition.
  2. The attacker delivers the file to a user through email, Teams, OneDrive, a website, or another channel.
  3. The user opens or otherwise processes the file with a vulnerable Excel installation.
  4. Excel encounters the malformed content, corrupting memory in a way that may permit attacker-controlled code to run.
The attacker is remote during delivery, but the vulnerable parser and resulting code execution are local to the victim’s computer.

The CVSS Vector Measures Exploit Preconditions​

Microsoft assigned CVE-2026-55048 the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Each component describes a specific property of the exploit rather than serving as another version of the vulnerability title.
AV:L indicates that exploitation depends on an action performed on the vulnerable system. In this case, Excel must process the malicious content locally. It does not necessarily mean the attacker already has local access.
AC:L means Microsoft considers the attack complexity low once the required conditions are met. The attacker is not expected to defeat a race condition, predict an unusual configuration, or perform elaborate preparation beyond creating and delivering the malicious content.
PR:N means the attacker requires no existing privileges on the target. There is no prerequisite for a Windows account, Microsoft 365 identity, or authenticated Excel session under the attacker’s control.
UI:R is the crucial qualifier for defenders. User interaction is required, so this is not described as a wormable vulnerability that automatically compromises an exposed machine. A user must open or otherwise interact with the crafted content for Excel to reach the vulnerable code path.
S:U indicates that the security scope remains unchanged. Successful exploitation affects resources governed by the same security authority as the vulnerable Excel process rather than directly crossing into another security boundary.
The final three metrics — C:H/I:H/A:H — reflect potentially severe consequences. Successful exploitation could give the attacker substantial access to data, permit modification of information, and disrupt the availability of affected resources. The code would ordinarily run with the privileges of the user who launched Excel, making account privilege and endpoint controls important limiting factors.

Excel Files Remain the Delivery Mechanism​

The local attack-vector rating should not be read as evidence that CVE-2026-55048 matters only after an attacker has already compromised a PC. A malicious workbook arriving from outside the organization remains a plausible delivery scenario because the local requirement can be satisfied by the victim opening that workbook.
This distinction matters for vulnerability-management systems. A scanner may label the underlying check or plugin “local” because it determines whether a vulnerable Office build is installed. That label does not mean administrators can safely deprioritize the update on laptops or workstations that receive files from external sources.
Microsoft’s record identifies the underlying weaknesses as an integer overflow or wraparound and a heap-based buffer overflow. Those classifications suggest that malformed workbook data can cause Excel to perform unsafe memory operations, although Microsoft has not published enough technical detail to reconstruct the vulnerable file structure or exploitation method.
The Zero Day Initiative’s review of Microsoft’s July 2026 security releases lists CVE-2026-55048 as an Important, 7.8-rated Excel RCE issue. It also reports that the vulnerability was neither publicly disclosed nor known to be exploited when the update was released on July 14.
That lowers the immediate urgency compared with an actively exploited zero-day, but it does not remove the risk. Office documents are familiar phishing attachments, and technical details can emerge after security researchers compare patched and unpatched Excel binaries.

July’s Office Updates Close the Vulnerable Code Path​

CVE-2026-55048 affects Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Excel 2016, Office Online Server, and supported Office editions for macOS. The affected-product record lists Excel 2016 versions earlier than 16.0.5561.1001, Office Online Server versions earlier than 16.0.10417.20175, and Mac Office versions earlier than 16.111.26071215.
For MSI-based Excel 2016 installations, Microsoft included the correction in the July 14 security update KB5002886. Microsoft’s July 2026 Office update index recommends installing all applicable updates and distinguishes these MSI packages from Click-to-Run Microsoft 365 servicing, which follows its own release channels and build numbers.
Administrators should verify the installed Office edition and update channel rather than looking only for KB5002886 across every endpoint. Microsoft 365 Apps, Office LTSC, Office 2019, Office for Mac, and Office Online Server receive fixes through different packages even though they share the same CVE.
Until deployment is complete, normal Office hardening remains useful. Organizations can block unexpected spreadsheet attachments, preserve Mark of the Web information, use Protected View, restrict downloads from untrusted sources, and ensure users do not routinely run Excel with administrative privileges. Endpoint detection should also treat unusual child processes launched by Excel as suspicious, particularly when the workbook originated outside the organization.
The practical reading of CVE-2026-55048 is therefore straightforward: an attacker can be remote, the malicious file can arrive remotely, and the resulting code can be controlled remotely, while the vulnerable Excel operation still occurs locally. Patch the affected Office builds; do not interpret AV:L as requiring the attacker to already be sitting at the machine.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
 

Back
Top