Microsoft has patched CVE-2026-55122, a high-severity information-disclosure vulnerability in Microsoft Excel that could expose sensitive process memory when a user interacts with a malicious file. The flaw affects Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021 and 2024, Office for Mac, and Office Online Server.
Detailed in Microsoft’s July 14, 2026 security release, the vulnerability carries a CVSS 3.1 score of 7.1. Microsoft describes it as an out-of-bounds read in Excel, while the National Vulnerability Database classifies the underlying weakness as CWE-125.
The immediate action for administrators is straightforward: deploy the July Office security updates and verify that managed devices have actually moved to patched builds. Excel 2016 installations require particular attention because Microsoft provides a concrete fixed-version boundary, while Click-to-Run installations follow their respective Microsoft 365 or Office servicing channels.
CVE-2026-55122 is not a network-service vulnerability that can be exploited merely by reaching an exposed Windows machine. Microsoft’s CVSS vector identifies it as a local attack requiring user interaction, with no prior privileges required and low attack complexity.
In practice, that profile points to a familiar Office attack path: an attacker persuades a target to open or otherwise process specially crafted Excel content. The file could arrive through email, a collaboration platform, a download, or another delivery mechanism, but the vulnerability itself does not provide an unauthenticated route into the machine over the network.
That distinction lowers the likelihood of indiscriminate automated exploitation, but it does not make the flaw harmless. Spreadsheet attachments remain common in finance, procurement, human resources, operations, and business-to-business communications, where an unexpected workbook may attract less suspicion than an executable file.
The vulnerability’s CVSS vector assigns high impact to both confidentiality and availability. A successful exploit could therefore expose information that Excel should not have returned and potentially destabilize the application or affected process. Microsoft has not described the exact memory contents an attacker could retrieve, so administrators should avoid assuming that disclosure is limited to workbook cells.
An out-of-bounds read occurs when software reads memory beyond the boundary of the data structure it is supposed to access. Depending on the affected memory layout and the attacker’s control over the malformed input, that behavior can reveal nearby data, produce a crash, or help an attacker gather information for another stage of an attack.
The rating does not indicate that CVE-2026-55122 independently permits arbitrary code execution. It is an information-disclosure issue, and the CVSS vector records no integrity impact. Its strategic value to an attacker may instead lie in extracting data or weakening mitigations when combined with another vulnerability.
This product spread matters in mixed estates. A business may patch Windows endpoints through Microsoft Intune or Configuration Manager while maintaining separate update procedures for Office LTSC, Mac devices, virtual desktop images, and Office Online Server. A green Windows Update compliance dashboard does not necessarily prove that every vulnerable Excel installation has received the corresponding Office build.
Microsoft 365 Apps generally receives security fixes through Click-to-Run servicing. Administrators using update rings, delayed enterprise channels, application layering, or nonpersistent virtual desktops should verify the installed Office build rather than relying solely on the date when an update policy was assigned.
For Office 2016, KB5002886 applies to the Microsoft Installer-based edition. It does not serve as a standalone update for Click-to-Run editions, which obtain fixes through their Office servicing channel. This distinction is especially important on older PCs where Office deployment history may be poorly documented.
Windows administrators can check Excel’s version from File > Account > About Excel, query Click-to-Run configuration information, or use endpoint-management inventory. For Excel 2016, versions below 16.0.5561.1001 remain inside the affected range listed in the CVE record.
Mac administrators should verify that Office has reached at least 16.111.26071215. Office Online Server operators should confirm version 16.0.10417.20175 or later and should treat the server update as a separate maintenance action, including any prerequisites and post-installation steps documented by Microsoft.
Organizations that cannot patch immediately should reduce opportunities for untrusted workbooks to reach users. Email attachment controls, Microsoft Defender for Office 365 policies, web filtering, application isolation, and user guidance can narrow the delivery path, but none corrects Excel’s faulty memory access.
Protected View and Mark of the Web remain useful layers when files originate outside the organization. They should not be treated as substitutes for the update, particularly when documents move through systems that strip origin metadata or when users routinely move files into trusted locations.
Security teams should also look beyond filenames and extensions. Attackers can place Office documents inside archives, host them on compromised cloud-storage accounts, or present them as routine invoices and reports. Blocking macros alone is not a complete mitigation because Microsoft has identified the root issue as an out-of-bounds read, not a malicious VBA macro.
The CVSS vector is
The National Vulnerability Database was still awaiting its own enrichment assessment on July 15, one day after publication. Its page currently presents Microsoft’s score and product data rather than an independent NIST score. Further technical details could therefore appear as Microsoft, NIST, or outside researchers analyze the vulnerability.
There is not yet enough public technical information to describe which Excel file structure or parsing routine contains the flawed bounds check. That limits defenders’ ability to create precise content signatures and makes build-level remediation the dependable control.
The supplied report-confidence language should also be read carefully. It explains how CVSS temporal metrics describe confidence in a vulnerability’s existence and technical evidence; it is not, by itself, evidence that exploit code is publicly available. Microsoft’s acknowledgement confirms the vulnerability, but confirmation does not mean active exploitation has been established.
For most organizations, CVE-2026-55122 belongs in the normal July 2026 Office patch cycle rather than a speculative emergency response. Its broad product reach and potential disclosure impact nevertheless make delayed Office channels, unmanaged Macs, legacy Excel 2016 installations, and Office Online Server the systems most likely to remain exposed after routine Windows patching is complete.
Detailed in Microsoft’s July 14, 2026 security release, the vulnerability carries a CVSS 3.1 score of 7.1. Microsoft describes it as an out-of-bounds read in Excel, while the National Vulnerability Database classifies the underlying weakness as CWE-125.
The immediate action for administrators is straightforward: deploy the July Office security updates and verify that managed devices have actually moved to patched builds. Excel 2016 installations require particular attention because Microsoft provides a concrete fixed-version boundary, while Click-to-Run installations follow their respective Microsoft 365 or Office servicing channels.
A Malicious Workbook Still Needs a User
CVE-2026-55122 is not a network-service vulnerability that can be exploited merely by reaching an exposed Windows machine. Microsoft’s CVSS vector identifies it as a local attack requiring user interaction, with no prior privileges required and low attack complexity.In practice, that profile points to a familiar Office attack path: an attacker persuades a target to open or otherwise process specially crafted Excel content. The file could arrive through email, a collaboration platform, a download, or another delivery mechanism, but the vulnerability itself does not provide an unauthenticated route into the machine over the network.
That distinction lowers the likelihood of indiscriminate automated exploitation, but it does not make the flaw harmless. Spreadsheet attachments remain common in finance, procurement, human resources, operations, and business-to-business communications, where an unexpected workbook may attract less suspicion than an executable file.
The vulnerability’s CVSS vector assigns high impact to both confidentiality and availability. A successful exploit could therefore expose information that Excel should not have returned and potentially destabilize the application or affected process. Microsoft has not described the exact memory contents an attacker could retrieve, so administrators should avoid assuming that disclosure is limited to workbook cells.
An out-of-bounds read occurs when software reads memory beyond the boundary of the data structure it is supposed to access. Depending on the affected memory layout and the attacker’s control over the malformed input, that behavior can reveal nearby data, produce a crash, or help an attacker gather information for another stage of an attack.
The rating does not indicate that CVE-2026-55122 independently permits arbitrary code execution. It is an information-disclosure issue, and the CVSS vector records no integrity impact. Its strategic value to an attacker may instead lie in extracting data or weakening mitigations when combined with another vulnerability.
The Exposure Extends Beyond Excel 2016
The affected-product list is broader than the vulnerability’s Excel branding might suggest. Microsoft’s CVE record covers both Windows and macOS Office deployments, along with Office Online Server:- Microsoft 365 Apps for Enterprise is affected on 32-bit and x64 Windows systems until the appropriate servicing-channel update is installed.
- Microsoft Excel 2016 is affected on 32-bit and x64 systems before version 16.0.5561.1001.
- Microsoft Office 2019 is affected on both supported Windows architectures.
- Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
- Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 are affected before version 16.111.26071215.
- Office Online Server is affected before version 16.0.10417.20175.
This product spread matters in mixed estates. A business may patch Windows endpoints through Microsoft Intune or Configuration Manager while maintaining separate update procedures for Office LTSC, Mac devices, virtual desktop images, and Office Online Server. A green Windows Update compliance dashboard does not necessarily prove that every vulnerable Excel installation has received the corresponding Office build.
Microsoft 365 Apps generally receives security fixes through Click-to-Run servicing. Administrators using update rings, delayed enterprise channels, application layering, or nonpersistent virtual desktops should verify the installed Office build rather than relying solely on the date when an update policy was assigned.
For Office 2016, KB5002886 applies to the Microsoft Installer-based edition. It does not serve as a standalone update for Click-to-Run editions, which obtain fixes through their Office servicing channel. This distinction is especially important on older PCs where Office deployment history may be poorly documented.
Patch Verification Matters More Than Policy Assignment
The most useful response is to identify vulnerable builds, deploy the July 14 updates, and then confirm installation. Because CVE-2026-55122 spans perpetual Office releases, Microsoft 365 Apps, macOS, and a server product, one update report may not cover the full environment.Windows administrators can check Excel’s version from File > Account > About Excel, query Click-to-Run configuration information, or use endpoint-management inventory. For Excel 2016, versions below 16.0.5561.1001 remain inside the affected range listed in the CVE record.
Mac administrators should verify that Office has reached at least 16.111.26071215. Office Online Server operators should confirm version 16.0.10417.20175 or later and should treat the server update as a separate maintenance action, including any prerequisites and post-installation steps documented by Microsoft.
Organizations that cannot patch immediately should reduce opportunities for untrusted workbooks to reach users. Email attachment controls, Microsoft Defender for Office 365 policies, web filtering, application isolation, and user guidance can narrow the delivery path, but none corrects Excel’s faulty memory access.
Protected View and Mark of the Web remain useful layers when files originate outside the organization. They should not be treated as substitutes for the update, particularly when documents move through systems that strip origin metadata or when users routinely move files into trusted locations.
Security teams should also look beyond filenames and extensions. Attackers can place Office documents inside archives, host them on compromised cloud-storage accounts, or present them as routine invoices and reports. Blocking macros alone is not a complete mitigation because Microsoft has identified the root issue as an out-of-bounds read, not a malicious VBA macro.
A High Score Without Remote Execution
The 7.1 rating may appear unusual for a vulnerability that requires local interaction and is categorized as information disclosure. The score is driven by the potential for high confidentiality impact and high availability impact, despite requiring a user to trigger the vulnerable Excel behavior.The CVSS vector is
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H. Translated into operational terms, exploitation is local, relatively uncomplicated, requires no existing attacker privileges, and depends on victim interaction. The security impact remains within Excel’s security authority rather than crossing into another scope.The National Vulnerability Database was still awaiting its own enrichment assessment on July 15, one day after publication. Its page currently presents Microsoft’s score and product data rather than an independent NIST score. Further technical details could therefore appear as Microsoft, NIST, or outside researchers analyze the vulnerability.
There is not yet enough public technical information to describe which Excel file structure or parsing routine contains the flawed bounds check. That limits defenders’ ability to create precise content signatures and makes build-level remediation the dependable control.
The supplied report-confidence language should also be read carefully. It explains how CVSS temporal metrics describe confidence in a vulnerability’s existence and technical evidence; it is not, by itself, evidence that exploit code is publicly available. Microsoft’s acknowledgement confirms the vulnerability, but confirmation does not mean active exploitation has been established.
For most organizations, CVE-2026-55122 belongs in the normal July 2026 Office patch cycle rather than a speculative emergency response. Its broad product reach and potential disclosure impact nevertheless make delayed Office channels, unmanaged Macs, legacy Excel 2016 installations, and Office Online Server the systems most likely to remain exposed after routine Windows patching is complete.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: June 9, 2026 (KB5002877) | Microsoft Support
Description of the security update for Excel 2016: June 9, 2026 (KB5002877)support.microsoft.com - Related coverage: techradar.com
This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data | TechRadar
There's more than one way to skin an Excel tablewww.techradar.com