CVE-2026-55131: Patch Excel RCE With July 14 Office Updates

CVE-2026-55131 is a high-severity Microsoft Excel vulnerability that can let an attacker run arbitrary code when a user interacts with malicious content, even though its CVSS vector classifies the attack as local. The apparent contradiction comes from two different uses of “remote”: remote code execution describes the security impact, while AV:L describes where exploitation occurs.
Microsoft published the vulnerability on July 14, 2026, as part of its monthly Office security updates. Detailed in Microsoft’s Security Update Guide, the flaw is a heap-based buffer overflow in Excel and carries a CVSS 3.1 score of 7.8.
The National Vulnerability Database reproduces Microsoft’s vector as CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, exploitation has low complexity, requires no existing privileges, needs user interaction, and can have a high impact on confidentiality, integrity, and availability.

Cybersecurity illustration showing an Excel exploit causing heap overflow and controlled code execution.“Remote Code Execution” Is an Impact Category​

In Microsoft security terminology, remote code execution does not necessarily mean that a vulnerable PC accepts an unsolicited network request from an attacker. It means an attacker who is not already authorized to run code on the target may be able to cause attacker-controlled code to execute.
For CVE-2026-55131, the attacker may be elsewhere when preparing and delivering the malicious content. The vulnerable Excel process, however, parses that content and triggers the memory corruption on the victim’s computer.
Microsoft explains the distinction directly in its advisory: “remote” in the vulnerability title refers to the attacker’s location. The actual exploitation step is local because Excel must process the content on the affected machine. This class of issue is also commonly described as arbitrary code execution, or ACE.
That separates CVE-2026-55131 from a network-exploitable vulnerability in which an attacker sends packets directly to a listening service. Excel does not need to expose an inbound network service for this flaw to matter.
Instead, the likely security boundary looks like this:
  • An attacker creates or supplies content intended to trigger the Excel heap-based buffer overflow.
  • The content reaches the target through some delivery mechanism.
  • A user must interact with it, as reflected by UI:R.
  • Excel processes the content locally and reaches the vulnerable code path.
  • Successful exploitation could execute code with the permissions of the user running Excel.
Microsoft’s public description does not provide enough technical detail to establish the precise file structure, workbook feature, or parsing operation involved. Administrators should therefore avoid building defenses around an assumed extension or Excel feature unless Microsoft publishes additional guidance.

Why CVSS Still Says AV:L​

The CVSS Attack Vector metric measures how close an attacker must be to the vulnerable component at the point of exploitation. It does not describe where the attacker was sitting when the exploit was created, emailed, uploaded, or otherwise delivered.
For CVE-2026-55131, Microsoft assigned AV:L because exploitation requires the vulnerable Excel installation to process content locally. The flaw is not triggered merely by sending a network request across the internet to an exposed Excel service.
The other CVSS fields complete the picture:
  • AC:L means Microsoft considers the attack complexity low once the necessary conditions exist.
  • PR:N means the attacker does not require an existing account or privileges on the target.
  • UI:R means exploitation requires action by a user.
  • S:U means the security authority affected by exploitation remains unchanged.
  • C:H/I:H/A:H reflects potentially high impact to data confidentiality, data integrity, and system availability.
Those metrics are internally consistent. An unauthorized attacker can prepare the malicious input without possessing credentials, but a local Excel process and user interaction are required to reach the vulnerable code.
The distinction matters when comparing this bug with vulnerabilities carrying AV:N. A network-vector flaw might be exploitable directly against a reachable service, potentially supporting automated scanning and compromise. CVE-2026-55131 is not described that way.
CISA’s initial SSVC data lists no known exploitation and marks the vulnerability as not automatable, while recognizing potentially total technical impact. That assessment aligns with an Office document-style attack that requires a victim-side step rather than a self-propagating network exploit.

The User’s Permissions Define the Blast Radius​

Successful exploitation runs code in the security context associated with Excel. A user operating without administrative rights generally limits what the attacker’s payload can immediately change, although access to that user’s files, browser data, mapped drives, cloud-synchronized folders, and business applications can still make the compromise serious.
An administrator opening untrusted Excel content presents a larger risk. Code executing with elevated rights could gain wider control over the computer, alter protected settings, or install persistent components.
That makes least-privilege configuration a meaningful mitigation, but not a substitute for patching. Enterprises should also treat spreadsheets from external mail, collaboration platforms, download portals, and shared storage as untrusted until their origin and purpose are verified.
Protected View, Microsoft Defender, mail filtering, endpoint detection, and application-control policies can add barriers. None should be assumed to make a vulnerable Excel build safe against every delivery or evasion technique.

The Patch Reaches Beyond Excel 2016​

Microsoft’s affected-product data covers a broad Office footprint rather than one legacy Excel release. Listed products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Excel 2016, Office Online Server, Microsoft 365 for Mac, and Office LTSC editions for Mac.
For perpetual Excel 2016 installations, fixed versions begin at 16.0.5561.1001. Microsoft released KB5002886 as the July 14 security update for Excel 2016.
Affected Office Online Server installations need version 16.0.10417.20175 or later. On macOS, Microsoft’s affected-version data points to version 16.111.26071215 as the corrected boundary for Microsoft 365 and supported Office LTSC products.
Microsoft 365 Apps and newer Windows Office editions follow their respective servicing channels, so administrators should verify the deployed build against Microsoft’s Office security release information rather than looking only for the Excel 2016 KB. Devices on deferred enterprise channels may have different build numbers even when the applicable fix has been released.
The practical response is straightforward: deploy the July 14, 2026 Office updates, confirm that managed devices actually advanced to a corrected build, and investigate machines that remain behind because of frozen channels, failed installations, disabled Office updates, or unsupported add-in requirements.
AV:L does not reduce CVE-2026-55131 to an ordinary local privilege problem. The attacker needs Excel to execute the exploit locally, but does not need prior access or credentials; the user interaction is what bridges that gap. Until every affected Office installation is updated, untrusted spreadsheets remain the most important control point.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Official source: techcommunity.microsoft.com
  4. Related coverage: techradar.com
 

Back
Top