CVE-2026-55899 is an Important-rated Microsoft Excel vulnerability that can let an attacker’s code run on a victim’s PC after the victim opens or otherwise processes a malicious file. The apparent contradiction in Microsoft’s advisory—remote code execution in the title but Local in the CVSS attack vector—comes from two different uses of the word “remote.”
Microsoft’s Security Response Center published the flaw on July 14, 2026, as part of the July security release. The National Vulnerability Database describes it as a stack-based buffer overflow in Microsoft Office Excel that permits an unauthorized attacker to execute code locally. Microsoft scores it at 7.8 out of 10 with the vector
That vector says exploitation requires local interaction with Excel, not that the attacker must already be sitting at the keyboard or logged on to the computer. A remote attacker can prepare and deliver the malicious workbook, while the vulnerable parsing and code execution occur on the recipient’s machine.
In Microsoft vulnerability titles, remote code execution generally describes the security outcome: an attacker who is not initially operating on the target can cause attacker-controlled code to execute there. The attacker might distribute a weaponized Excel file through email, a collaboration platform, a download site, cloud storage, or another social-engineering channel.
The CVSS Attack Vector metric asks a narrower question: how does the attacker reach the vulnerable component during exploitation? For CVE-2026-55899, Excel must process content on the local machine. The vulnerable operation is not exposed as a network service that an attacker can directly contact over TCP/IP.
That is why the vector is
Microsoft addresses this distinction directly in its advisory. The company says “Remote” refers to the attacker’s location and notes that this class of issue is also sometimes called arbitrary code execution, or ACE. The exploit itself is carried out through code executing or content being processed on the local system.
This terminology can sound counterintuitive because “remote code execution” is often informally treated as synonymous with a remotely reachable network vulnerability. CVSS does not use the term that broadly. A network-reachable server flaw and a malicious-document flaw can both produce remote code execution, yet receive different Attack Vector values because the path to exploitation differs.
The practical attack chain is therefore likely to begin away from the target but finish locally: an attacker creates a malicious Excel document, convinces a recipient to obtain and open it, and relies on Excel’s vulnerable processing path to corrupt memory. Successful exploitation could then run code with the permissions available to the Excel process and the signed-in user.
Microsoft identifies the underlying weakness as a stack-based buffer overflow and associates the CVE with CWE-121. A stack buffer overflow occurs when software writes more data into a stack-allocated region than it can safely hold, potentially overwriting nearby control information. Carefully constructed input can sometimes turn that corruption into execution of attacker-selected instructions rather than merely crashing the application.
The
Once exploitation succeeds, however, the confidentiality, integrity, and availability impacts are all rated High. Code running in the user’s context could potentially access files available to that account, alter data, install additional payloads where permissions allow, or disrupt the system. Users working with administrative rights would generally expose more of the machine than users operating under standard accounts.
The distinction matters for vulnerability-management teams. A scanner or dashboard that filters exclusively for
Zero Day Initiative’s review of Microsoft’s July 2026 release lists CVE-2026-55899 among numerous Important-rated Excel RCE fixes, with a 7.8 score. Its release table indicates that this CVE was neither publicly disclosed nor known to be exploited when the updates shipped. That lowers the immediate evidence of active attack activity, but it does not remove the need to update Office installations.
Organizations should also retain the controls that limit malicious-document attacks while patch deployment is underway. Protected View, Mark of the Web handling, email attachment scanning, Microsoft Defender protections, application control, and standard-user permissions can add barriers around the exploit chain. Users should avoid opening unexpected spreadsheets, especially when the sender or business pretext cannot be independently verified.
CVE-2026-55899 is therefore not mislabeled. It is remote code execution because a remote adversary can cause code of their choosing to run on another person’s computer; it is
Microsoft’s Security Response Center published the flaw on July 14, 2026, as part of the July security release. The National Vulnerability Database describes it as a stack-based buffer overflow in Microsoft Office Excel that permits an unauthorized attacker to execute code locally. Microsoft scores it at 7.8 out of 10 with the vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.That vector says exploitation requires local interaction with Excel, not that the attacker must already be sitting at the keyboard or logged on to the computer. A remote attacker can prepare and deliver the malicious workbook, while the vulnerable parsing and code execution occur on the recipient’s machine.
“Remote” Describes the Attacker, Not the Parser
In Microsoft vulnerability titles, remote code execution generally describes the security outcome: an attacker who is not initially operating on the target can cause attacker-controlled code to execute there. The attacker might distribute a weaponized Excel file through email, a collaboration platform, a download site, cloud storage, or another social-engineering channel.The CVSS Attack Vector metric asks a narrower question: how does the attacker reach the vulnerable component during exploitation? For CVE-2026-55899, Excel must process content on the local machine. The vulnerable operation is not exposed as a network service that an attacker can directly contact over TCP/IP.
That is why the vector is
AV:L rather than AV:N. The malicious file can arrive from the internet, but the triggering operation takes place locally when Excel handles it.Microsoft addresses this distinction directly in its advisory. The company says “Remote” refers to the attacker’s location and notes that this class of issue is also sometimes called arbitrary code execution, or ACE. The exploit itself is carried out through code executing or content being processed on the local system.
This terminology can sound counterintuitive because “remote code execution” is often informally treated as synonymous with a remotely reachable network vulnerability. CVSS does not use the term that broadly. A network-reachable server flaw and a malicious-document flaw can both produce remote code execution, yet receive different Attack Vector values because the path to exploitation differs.
The CVSS String Shows the Expected Attack Chain
The full Microsoft-provided CVSS 3.1 vector reveals more about the likely exploitation model than the title alone:AV:Lmeans the vulnerable component is accessed through the target system rather than directly across an adjacent or wide-area network.AC:Lindicates Microsoft does not expect exploitation to require unusual race conditions, specialized preparation of the target, or other high-complexity circumstances.PR:Nmeans the attacker does not need an existing account or privileges on the target before attempting the attack.UI:Rmeans a user must perform an action for exploitation to succeed.S:Umeans the security impact remains within the vulnerable component’s existing security authority.C:H/I:H/A:Hindicates potentially high impact to confidentiality, integrity, and availability.
AV:L, PR:N, and UI:R is common for malicious-document vulnerabilities. The adversary does not need to authenticate to the victim’s computer, but cannot simply send network packets to Excel and compromise it unattended. A user or another local workflow must cause Excel to process the hostile content.The practical attack chain is therefore likely to begin away from the target but finish locally: an attacker creates a malicious Excel document, convinces a recipient to obtain and open it, and relies on Excel’s vulnerable processing path to corrupt memory. Successful exploitation could then run code with the permissions available to the Excel process and the signed-in user.
Microsoft identifies the underlying weakness as a stack-based buffer overflow and associates the CVE with CWE-121. A stack buffer overflow occurs when software writes more data into a stack-allocated region than it can safely hold, potentially overwriting nearby control information. Carefully constructed input can sometimes turn that corruption into execution of attacker-selected instructions rather than merely crashing the application.
User Interaction Lowers the Score, Not the Consequence
The required user action is an important constraint, but it does not make the vulnerability harmless. Excel files routinely pass through email, Microsoft Teams, SharePoint, OneDrive, ticketing systems, accounting processes, and supplier portals. A workbook that appears to contain an invoice, forecast, payroll report, or project schedule can fit naturally into normal business activity.The
UI:R metric also explains why Microsoft rates CVE-2026-55899 Important rather than Critical despite its high-impact RCE outcome. The attacker must cross a social or workflow boundary before reaching the vulnerable Excel code. That is materially different from an unauthenticated network service that can be compromised without any action by the target.Once exploitation succeeds, however, the confidentiality, integrity, and availability impacts are all rated High. Code running in the user’s context could potentially access files available to that account, alter data, install additional payloads where permissions allow, or disrupt the system. Users working with administrative rights would generally expose more of the machine than users operating under standard accounts.
The distinction matters for vulnerability-management teams. A scanner or dashboard that filters exclusively for
AV:N flaws could overlook CVE-2026-55899 even though it belongs to a familiar phishing and malicious-attachment threat model. Conversely, calling it a one-click network compromise would overstate what Microsoft’s metrics say is required.Zero Day Initiative’s review of Microsoft’s July 2026 release lists CVE-2026-55899 among numerous Important-rated Excel RCE fixes, with a 7.8 score. Its release table indicates that this CVE was neither publicly disclosed nor known to be exploited when the updates shipped. That lowers the immediate evidence of active attack activity, but it does not remove the need to update Office installations.
Patch Excel and Keep Document Controls in Place
Administrators should deploy the applicable July 2026 Microsoft Office or Microsoft 365 Apps security updates through their established servicing channel. Click-to-Run Microsoft 365 Apps installations and MSI-based perpetual Office products use different update mechanisms, so inventory should distinguish between them rather than assuming one package covers every Excel deployment.Organizations should also retain the controls that limit malicious-document attacks while patch deployment is underway. Protected View, Mark of the Web handling, email attachment scanning, Microsoft Defender protections, application control, and standard-user permissions can add barriers around the exploit chain. Users should avoid opening unexpected spreadsheets, especially when the sender or business pretext cannot be independently verified.
CVE-2026-55899 is therefore not mislabeled. It is remote code execution because a remote adversary can cause code of their choosing to run on another person’s computer; it is
AV:L because the vulnerable Excel processing and final exploit trigger occur locally. The most accurate shorthand is remote delivery, local triggering, arbitrary code execution—a malicious-document pattern that remains highly relevant even without a network attack vector.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: May 13, 2025 (KB5002717) | Microsoft Support
Description of the security update for Excel 2016: May 13, 2025 (KB5002717)support.microsoft.com