Microsoft has patched CVE-2026-55138, a Microsoft Excel information-disclosure vulnerability that can expose sensitive data when a user interacts with malicious content. Released on July 14, 2026, the flaw affects Microsoft 365 Apps for enterprise, Excel 2016, Office 2019, Office LTSC editions, Office for Mac, and Office Online Server.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55138 is rated Medium with a CVSS 3.1 base score of 5.5. It is not known to have been exploited in the wild, but the breadth of affected Office installations makes the July security updates relevant to both managed fleets and standalone PCs.
The flaw stems from an untrusted pointer dereference in Excel. Microsoft says an unauthorized attacker could exploit it locally to disclose information, although successful exploitation requires a victim to take an action such as opening or otherwise interacting with attacker-controlled content.
The CVSS vector for CVE-2026-55138 is
The most important component is
That distinction matters when triaging the update. CVE-2026-55138 is not presented as a remote-code-execution flaw capable of immediately taking over a PC, but information disclosure can still expose material useful for a second stage of an attack. Spreadsheet files commonly contain financial figures, internal forecasts, customer records, credentials copied into cells, hidden worksheets, and links to corporate data sources.
Microsoft’s description does not identify exactly what information could be recovered or provide a public proof of concept. The CVE record classifies the weakness as CWE-822, Untrusted Pointer Dereference, indicating that Excel may dereference a pointer whose value cannot be trusted during processing.
An untrusted pointer can cause an application to access memory outside the data it was intended to handle. Depending on the affected code path, that behavior can disclose process memory or other data available to the application. Microsoft has not publicly documented the vulnerable Excel feature, workbook structure, or file format involved, so defenders should not assume that macros, external links, or another familiar Excel mechanism must be enabled for exposure to exist.
CISA’s initial assessment recorded no known exploitation and categorized the flaw as not automatable, with partial technical impact. That lowers the immediate urgency compared with an actively exploited Office zero-day, but it does not provide a reason to leave Excel unpatched.
For Excel 2016, Microsoft issued KB5002886 on July 14. The update applies to MSI-based Excel 2016 installations and replaces KB5002865. Microsoft notes that the standalone Download Center package does not apply to Click-to-Run editions such as Microsoft 365, which receive fixes through their respective Office update channels.
KB5002886 addresses a large collection of Excel vulnerabilities rather than CVE-2026-55138 alone. Its security summary covers both information-disclosure and remote-code-execution flaws, strengthening the case for deploying the full update instead of evaluating this one CVE in isolation.
Office Online Server receives its July fixes through KB5002884, which replaces KB5002875. The package likewise addresses numerous Excel vulnerabilities, including CVE-2026-55138, and should be handled through the organization’s established Office Online Server servicing process.
Microsoft 365 Apps and retail Click-to-Run installations do not use the Excel 2016 MSI package. Administrators should instead verify that devices have received the July 2026 Office security release for the channel assigned to them. A Windows cumulative update alone should not be treated as evidence that Microsoft 365 Apps have been patched.
Security controls such as Microsoft Defender SmartScreen, Protected View, attachment scanning, and mail filtering can reduce exposure to untrusted files. They are best treated as additional layers, however, rather than substitutes for the update. Microsoft’s public description does not establish that Protected View or macro blocking completely prevents exploitation.
Organizations with delayed Office servicing should prioritize groups that routinely process external spreadsheets. Finance, procurement, payroll, sales operations, insurance, and customer-support teams often open workbooks received from outside the organization, giving a crafted Excel document a plausible path to a targeted user.
Users should avoid opening unexpected spreadsheets while updates are pending, even when an attachment appears to come from a known contact. A compromised mailbox or hijacked collaboration account can make malicious Office content look consistent with an existing business conversation.
Mac administrators should verify that Microsoft 365 for Mac and Office LTSC for Mac have reached version 16.111.26071215 or later. Microsoft 365 Apps administrators should use the Office inventory and update reporting available through their management platform to confirm that the July 2026 security build has reached endpoints, rather than relying solely on the configured update channel.
Testing remains appropriate for systems that depend on COM add-ins, VBA automation, specialized financial plugins, or third-party applications that embed Excel. Those compatibility concerns justify a controlled deployment ring, not an indefinite delay, particularly because the same July Excel packages resolve multiple vulnerabilities with more severe outcomes than information disclosure.
CVE-2026-55138 is neither publicly exploited nor remotely triggerable without user involvement according to the initial records. Its practical lesson is still straightforward: Excel must be patched through Office servicing, and every affected deployment type—including Mac and Office Online Server—needs to be checked independently.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55138 is rated Medium with a CVSS 3.1 base score of 5.5. It is not known to have been exploited in the wild, but the breadth of affected Office installations makes the July security updates relevant to both managed fleets and standalone PCs.
The flaw stems from an untrusted pointer dereference in Excel. Microsoft says an unauthorized attacker could exploit it locally to disclose information, although successful exploitation requires a victim to take an action such as opening or otherwise interacting with attacker-controlled content.
A Medium Score Hides a High Confidentiality Impact
The CVSS vector for CVE-2026-55138 is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, exploitation is local rather than directly network-based, requires low attack complexity, needs no existing privileges, and depends on user interaction.The most important component is
C:H: successful exploitation can have a high impact on confidentiality. Microsoft does not attribute any integrity or availability impact to this CVE, meaning the documented outcome is data exposure rather than modification, code execution, or service disruption.That distinction matters when triaging the update. CVE-2026-55138 is not presented as a remote-code-execution flaw capable of immediately taking over a PC, but information disclosure can still expose material useful for a second stage of an attack. Spreadsheet files commonly contain financial figures, internal forecasts, customer records, credentials copied into cells, hidden worksheets, and links to corporate data sources.
Microsoft’s description does not identify exactly what information could be recovered or provide a public proof of concept. The CVE record classifies the weakness as CWE-822, Untrusted Pointer Dereference, indicating that Excel may dereference a pointer whose value cannot be trusted during processing.
An untrusted pointer can cause an application to access memory outside the data it was intended to handle. Depending on the affected code path, that behavior can disclose process memory or other data available to the application. Microsoft has not publicly documented the vulnerable Excel feature, workbook structure, or file format involved, so defenders should not assume that macros, external links, or another familiar Excel mechanism must be enabled for exposure to exist.
CISA’s initial assessment recorded no known exploitation and categorized the flaw as not automatable, with partial technical impact. That lowers the immediate urgency compared with an actively exploited Office zero-day, but it does not provide a reason to leave Excel unpatched.
The Affected List Reaches Beyond Excel 2016
The CVE record identifies affected editions across Windows, macOS, and Microsoft’s server-side Office stack. Organizations should check update compliance for the following products:- Microsoft 365 Apps for enterprise is affected on both 32-bit and 64-bit Windows installations.
- Microsoft Excel 2016 is affected on 32-bit and 64-bit Windows systems before version 16.0.5561.1001.
- Microsoft Office 2019 is affected on 32-bit and 64-bit Windows systems.
- Microsoft Office LTSC 2021 and Office LTSC 2024 are affected on Windows.
- Microsoft 365 for Mac is affected before version 16.111.26071215.
- Microsoft Office LTSC for Mac 2021 and 2024 are affected before version 16.111.26071215.
- Office Online Server is affected before version 16.0.10417.20175.
EXCEL.EXE on Windows desktops. Administrators operating browser-based document viewing and editing infrastructure must patch the server product separately.For Excel 2016, Microsoft issued KB5002886 on July 14. The update applies to MSI-based Excel 2016 installations and replaces KB5002865. Microsoft notes that the standalone Download Center package does not apply to Click-to-Run editions such as Microsoft 365, which receive fixes through their respective Office update channels.
KB5002886 addresses a large collection of Excel vulnerabilities rather than CVE-2026-55138 alone. Its security summary covers both information-disclosure and remote-code-execution flaws, strengthening the case for deploying the full update instead of evaluating this one CVE in isolation.
Office Online Server receives its July fixes through KB5002884, which replaces KB5002875. The package likewise addresses numerous Excel vulnerabilities, including CVE-2026-55138, and should be handled through the organization’s established Office Online Server servicing process.
Microsoft 365 Apps and retail Click-to-Run installations do not use the Excel 2016 MSI package. Administrators should instead verify that devices have received the July 2026 Office security release for the channel assigned to them. A Windows cumulative update alone should not be treated as evidence that Microsoft 365 Apps have been patched.
User Interaction Is Still an Attack Surface
The requirement for user interaction limits silent exploitation, but it fits a well-established Office attack pattern. An attacker can deliver a workbook through email, Microsoft Teams, a file-sharing service, a compromised website, or a business workflow that already expects spreadsheet attachments.Security controls such as Microsoft Defender SmartScreen, Protected View, attachment scanning, and mail filtering can reduce exposure to untrusted files. They are best treated as additional layers, however, rather than substitutes for the update. Microsoft’s public description does not establish that Protected View or macro blocking completely prevents exploitation.
Organizations with delayed Office servicing should prioritize groups that routinely process external spreadsheets. Finance, procurement, payroll, sales operations, insurance, and customer-support teams often open workbooks received from outside the organization, giving a crafted Excel document a plausible path to a targeted user.
Users should avoid opening unexpected spreadsheets while updates are pending, even when an attachment appears to come from a known contact. A compromised mailbox or hijacked collaboration account can make malicious Office content look consistent with an existing business conversation.
Patch Verification Matters More Than the CVSS Number
For managed environments, the immediate job is to identify the Office deployment model before checking compliance. MSI-based Excel 2016 systems should show KB5002886 and a corrected Excel version at or above 16.0.5561.1001, while Office Online Server should reach at least 16.0.10417.20175.Mac administrators should verify that Microsoft 365 for Mac and Office LTSC for Mac have reached version 16.111.26071215 or later. Microsoft 365 Apps administrators should use the Office inventory and update reporting available through their management platform to confirm that the July 2026 security build has reached endpoints, rather than relying solely on the configured update channel.
Testing remains appropriate for systems that depend on COM add-ins, VBA automation, specialized financial plugins, or third-party applications that embed Excel. Those compatibility concerns justify a controlled deployment ring, not an indefinite delay, particularly because the same July Excel packages resolve multiple vulnerabilities with more severe outcomes than information disclosure.
CVE-2026-55138 is neither publicly exploited nor remotely triggerable without user involvement according to the initial records. Its practical lesson is still straightforward: Excel must be patched through Office servicing, and every affected deployment type—including Mac and Office Online Server—needs to be checked independently.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: techradar.com
This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data | TechRadar
There's more than one way to skin an Excel tablewww.techradar.com