CVE-2026-55947: Patch Excel RCE in July 14, 2026 Updates

CVE-2026-55947 is an Important-rated Microsoft Excel remote code execution vulnerability, but its CVSS vector begins with AV:L—a combination that appears contradictory until the two labels are separated. “Remote code execution” describes where the attacker may be relative to the victim, while “local” describes where the vulnerable Excel process must execute the exploit.
Microsoft published the vulnerability on July 14, 2026, as part of its July Patch Tuesday release. Detailed in the Microsoft Security Response Center advisory, the flaw is a heap-based buffer overflow that can let an unauthorized attacker run code through a vulnerable copy of Excel. Microsoft assigned it a CVSS 3.1 score of 7.8, or High, with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
The practical attack scenario is familiar: an attacker located elsewhere sends or hosts a malicious workbook, but the victim must open or otherwise process that file on the affected machine. The exploit therefore arrives remotely while its decisive execution step occurs locally inside Excel.

Cybersecurity illustration shows a malicious Excel attachment detected and blocked, with defenses and patch protection enabled.“Remote” Does Not Mean Network-Reachable​

In a vulnerability title, remote code execution often evokes an internet-facing service that accepts a packet and immediately runs attacker-controlled code. That is one form of RCE, but it is not the only one.
Microsoft also uses the classification for client-side file-processing vulnerabilities. An attacker can create a malicious Excel document, distribute it through email, a download, cloud storage, a collaboration platform, or another delivery mechanism, and wait for a user to open it. The attacker does not need to be sitting at the Windows or Mac computer, even though Excel must process the weaponized content locally.
MSRC explains this distinction directly in its advisory. The word remote refers to the attacker’s location, while the actual exploitation takes place on the victim’s local machine. Microsoft notes that this class of issue may also be described as arbitrary code execution, or ACE.
The AV:L metric is consequently not saying that an attacker requires physical access, an interactive logon, or an existing local account. It says that exploitation does not cross a network boundary directly into the vulnerable component. Excel must be running on the target system and must encounter the malicious input there.
That makes CVE-2026-55947 materially different from a flaw in Remote Desktop Services, SMB, HTTP.sys, or another listening service where specially crafted network traffic can reach vulnerable code without first becoming a local file or object. Both categories can culminate in attacker-controlled code execution, but they take different routes to reach that point.

The CVSS Vector Shows a Document-Borne Attack​

The remaining CVSS fields clarify the expected attack chain. Microsoft’s vector specifies low attack complexity, no privileges required, and required user interaction:
  • AV:L means the vulnerable Excel component is exploited through an action performed on the local system.
  • AC:L means Microsoft does not identify substantial conditions outside the attacker’s control that must align for exploitation.
  • PR:N means the attacker does not need an account or privileges on the target before attempting the attack.
  • UI:R means another person must perform an action, typically involving the malicious document.
  • S:U indicates that successful exploitation remains within Excel’s existing security authority rather than crossing into a separately governed security scope.
  • C:H/I:H/A:H reflects potentially high impact to confidentiality, integrity, and availability.
The combination of PR:N and UI:R is particularly important. An attacker may start with no access to the target machine, but exploitation still depends on persuading a user to interact with attacker-controlled content. That is a common pattern for Office vulnerabilities distributed through phishing and malicious downloads.
If exploitation succeeds, the resulting code generally operates with the rights of the user running Excel. A standard user account limits the immediate authority available to the malicious process, while a user operating with administrative privileges gives the attacker a more powerful starting position. Endpoint protections and application controls may still interrupt later stages, but they do not change the underlying RCE classification.
CVE-2026-55947 is also identified as CWE-122, a heap-based buffer overflow. Such flaws arise when software writes more data into a heap allocation than that allocation can safely hold, potentially corrupting adjacent memory. Carefully shaped input can sometimes turn that memory corruption into control over program execution rather than merely crashing Excel.

The Patch Reaches Windows, Mac, and Office Online Server​

The affected-product record is broader than one retail Excel release. It covers Microsoft 365 Apps for Enterprise on 32-bit and x64 Windows systems, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft 365 for Mac, Office LTSC for Mac 2021 and 2024, and Office Online Server.
For editions maintained through Microsoft’s Office servicing channels, administrators should use their normal deployment tools to verify that the July 2026 Office security updates have reached managed devices. This includes checking update compliance rather than assuming that Windows Update, Configuration Manager, Intune, or the Microsoft 365 Apps update channel completed installation everywhere.
The published affected-version data gives several concrete boundaries. Excel 2016 builds earlier than 16.0.5561.1001 are listed as affected. The affected Mac editions require version 16.111.26071215 or later, while Office Online Server must reach at least 16.0.10417.20175.
Those numbers matter in environments with delayed deployment rings, frozen virtual desktop images, nonpersistent sessions, or devices that spend long periods away from corporate management. Microsoft 365 Apps may update automatically, but automatic servicing is not the same as verified installation.
Office Online Server also deserves separate inventory attention. A vulnerability involving document processing is not necessarily confined to desktops because server-side Office components can parse uploaded or rendered content. Administrators should identify the precise affected product and apply the corresponding Microsoft release rather than treating this solely as an Excel workstation update.
Microsoft classified exploitation as less likely, according to the July 2026 Patch Tuesday listing compiled by BleepingComputer, and no public disclosure or active exploitation was identified at release. CISA’s initial SSVC data likewise recorded no known exploitation, while assessing the potential technical impact as total. Those indicators affect prioritization, but they do not make malicious spreadsheets safe to handle.

User Interaction Lowers Urgency, Not Impact​

CVE-2026-55947 is rated Important rather than Critical, despite the potential for complete compromise of data available to the affected user. The need for user interaction and the local CVSS attack vector help explain that rating.
For enterprise defenders, however, malicious-document attacks remain operationally credible because Excel files are routine business objects. Finance departments, procurement teams, analysts, and administrators regularly exchange spreadsheets with outside organizations, making an unexpected workbook less conspicuous than an executable attachment.
Email filtering, Protected View, Microsoft Defender for Office 365, attack surface reduction rules, application control, and least-privilege user accounts provide useful layers around the patch. None should be treated as a permanent substitute for updating Excel, particularly because security controls can be weakened by trusted locations, user overrides, exclusions, or established internal file-sharing workflows.
The apparent disagreement between the title and AV:L is therefore mainly a terminology problem. CVE-2026-55947 is not described as a zero-click, network-reachable Excel service vulnerability. It is a remotely initiated, locally triggered code-execution flaw in which attacker-controlled spreadsheet content reaches Excel and a user action allows the vulnerable application to process it.
Administrators should deploy the July 14, 2026 Office updates, confirm the installed Excel and Office Online Server versions, and continue treating unsolicited workbooks as executable-risk content. The attacker can remain remote; only the vulnerable copy of Excel and the final user interaction need to be local.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: techradar.com
 

Back
Top