CVE-2026-55949 is a high-severity Microsoft Excel vulnerability that can let an attacker run arbitrary code after a user opens or otherwise processes malicious content locally. Microsoft classifies the flaw as a remote code execution vulnerability, but its CVSS 3.1 vector uses
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS base score of 7.8. Microsoft describes it as a “use of uninitialized resource” flaw in Excel and assigns it CWE-908. The important distinction is that “remote code execution” describes the security impact and attacker relationship, while “local attack vector” describes where the vulnerable operation must occur.
In practical terms, this is not a zero-click Excel service exposed to the internet. The victim must interact with attacker-controlled content, and Excel must process that content on the local device.
Microsoft’s published vector is
The apparent contradiction comes from two different uses of the word remote. In Microsoft vulnerability titles, remote code execution generally means an attacker can cause code of the attacker’s choosing to run on another user’s system. It does not necessarily mean the vulnerable application listens for unauthenticated network traffic or can be compromised simply by sending packets to it.
Microsoft addresses that distinction directly in its CVE-2026-55949 advisory. The company says “Remote” in the title refers to the attacker’s location and notes that this class of weakness is also called arbitrary code execution, or ACE. The actual exploitation is local because code or crafted content must be executed or processed on the affected machine.
A likely attack path therefore starts remotely but finishes locally. An attacker could distribute a specially crafted Excel document through email, a messaging platform, cloud storage, a website, or another delivery channel. The CVSS calculation focuses on the step that triggers the vulnerability: the victim opening or processing the file in Excel on the local system.
That is why the vulnerability receives
This distinction matters when administrators prioritize patches. A network-vector vulnerability in a publicly reachable service may be exposed continuously, whereas an Office file vulnerability usually depends on content entering the organization and reaching a user willing or able to open it. That lowers exposure in some environments, but it does not make the resulting compromise minor.
If exploitation succeeds, Microsoft assigns high impact across all three primary security properties. Code could potentially run with the permissions of the user operating Excel, allowing the attacker to access data, alter files, install additional payloads, or disrupt the affected system. Users with local administrative rights would consequently present a more valuable target than tightly restricted standard accounts.
The
Low attack complexity, represented by
Office Online Server administrators should not assume ordinary Microsoft 365 update mechanisms cover their deployment. The CVE data identifies 16.0.10417.20175 as the corrected version boundary, making server inventory and update verification necessary even though the CVSS attack vector is local.
The presence of Office Online Server does not automatically turn the vulnerability into a network-vector flaw. CVSS rates the conditions required to exploit the vulnerable component, not merely whether an affected product can operate in a server environment.
Those controls are layers rather than substitutes for patching. Files can arrive through collaboration tools, synced OneDrive or SharePoint folders, removable storage, archives, and established business relationships that bypass crude attachment rules. A spreadsheet may also appear routine enough that a recipient has little reason to suspect it.
Administrators should verify that Microsoft 365 Apps are receiving current builds, deploy the relevant security updates to Office 2016 and Office LTSC installations, and separately check Mac and Office Online Server estates. Systems shared by privileged administrators deserve particular attention because successful code execution inherits the victim’s security context.
CVE-2026-55949’s naming is therefore consistent with Microsoft’s terminology even though it can initially appear inconsistent with CVSS. The attacker may be remote and the result may be attacker-controlled code execution, but the vulnerable Excel operation occurs locally and requires user interaction. For defenders, the actionable conclusion is straightforward: block suspicious workbook delivery where possible, keep users out of unnecessarily privileged sessions, and install the July 2026 Office fixes across every affected edition.
AV:L, or Local, because exploitation does not occur directly across a network protocol.Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS base score of 7.8. Microsoft describes it as a “use of uninitialized resource” flaw in Excel and assigns it CWE-908. The important distinction is that “remote code execution” describes the security impact and attacker relationship, while “local attack vector” describes where the vulnerable operation must occur.
In practical terms, this is not a zero-click Excel service exposed to the internet. The victim must interact with attacker-controlled content, and Excel must process that content on the local device.
Remote Delivery Does Not Make the Vector Network-Based
Microsoft’s published vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That breaks down as a local attack vector, low attack complexity, no privileges required, required user interaction, unchanged scope, and high potential impact to confidentiality, integrity, and availability.The apparent contradiction comes from two different uses of the word remote. In Microsoft vulnerability titles, remote code execution generally means an attacker can cause code of the attacker’s choosing to run on another user’s system. It does not necessarily mean the vulnerable application listens for unauthenticated network traffic or can be compromised simply by sending packets to it.
Microsoft addresses that distinction directly in its CVE-2026-55949 advisory. The company says “Remote” in the title refers to the attacker’s location and notes that this class of weakness is also called arbitrary code execution, or ACE. The actual exploitation is local because code or crafted content must be executed or processed on the affected machine.
A likely attack path therefore starts remotely but finishes locally. An attacker could distribute a specially crafted Excel document through email, a messaging platform, cloud storage, a website, or another delivery channel. The CVSS calculation focuses on the step that triggers the vulnerability: the victim opening or processing the file in Excel on the local system.
That is why the vulnerability receives
AV:L rather than AV:N. Email delivery alone does not mean that the vulnerable Excel component is reachable over the network.User Interaction Is the Critical Boundary
TheUI:R component confirms that successful exploitation requires an action by someone other than the attacker. Microsoft’s description does not support treating CVE-2026-55949 as a zero-click network attack against an idle Excel installation.This distinction matters when administrators prioritize patches. A network-vector vulnerability in a publicly reachable service may be exposed continuously, whereas an Office file vulnerability usually depends on content entering the organization and reaching a user willing or able to open it. That lowers exposure in some environments, but it does not make the resulting compromise minor.
If exploitation succeeds, Microsoft assigns high impact across all three primary security properties. Code could potentially run with the permissions of the user operating Excel, allowing the attacker to access data, alter files, install additional payloads, or disrupt the affected system. Users with local administrative rights would consequently present a more valuable target than tightly restricted standard accounts.
The
PR:N metric should not be misread as meaning the victim performs no action. It means the attacker does not require an existing authenticated or privileged foothold before launching the attack. The separate UI:R metric captures the requirement for victim involvement.Low attack complexity, represented by
AC:L, also indicates that Microsoft has not identified unusual conditions that must exist before exploitation can work. The combination of no required attacker privileges, low complexity, and high post-exploitation impact explains why the score remains 7.8 despite the local vector and user-interaction requirement.The Patch Reaches Across Supported Office Editions
The CVE record identifies affected deployments across perpetual Office releases, Microsoft 365, macOS, and Office Online Server. Products listed as affected include:- Microsoft 365 Apps for enterprise on 32-bit and x64 Windows systems.
- Microsoft Excel 2016 on 32-bit and x64 Windows systems.
- Microsoft Office 2019 on 32-bit and x64 Windows systems.
- Microsoft Office LTSC 2021 and Office LTSC 2024.
- Microsoft 365 for Mac.
- Microsoft Office LTSC for Mac 2021 and 2024.
- Microsoft Office Online Server.
Office Online Server administrators should not assume ordinary Microsoft 365 update mechanisms cover their deployment. The CVE data identifies 16.0.10417.20175 as the corrected version boundary, making server inventory and update verification necessary even though the CVSS attack vector is local.
The presence of Office Online Server does not automatically turn the vulnerability into a network-vector flaw. CVSS rates the conditions required to exploit the vulnerable component, not merely whether an affected product can operate in a server environment.
File Controls Reduce Exposure but Do Not Replace the Fix
Organizations that cannot deploy the July 14 updates immediately should treat untrusted spreadsheet files as the central exposure point. Email filtering, attachment sandboxing, Protected View, application isolation, Mark of the Web enforcement, and restrictions on files downloaded from external sources can all make malicious-document delivery more difficult.Those controls are layers rather than substitutes for patching. Files can arrive through collaboration tools, synced OneDrive or SharePoint folders, removable storage, archives, and established business relationships that bypass crude attachment rules. A spreadsheet may also appear routine enough that a recipient has little reason to suspect it.
Administrators should verify that Microsoft 365 Apps are receiving current builds, deploy the relevant security updates to Office 2016 and Office LTSC installations, and separately check Mac and Office Online Server estates. Systems shared by privileged administrators deserve particular attention because successful code execution inherits the victim’s security context.
CVE-2026-55949’s naming is therefore consistent with Microsoft’s terminology even though it can initially appear inconsistent with CVSS. The attacker may be remote and the result may be attacker-controlled code execution, but the vulnerable Excel operation occurs locally and requires user interaction. For defenders, the actionable conclusion is straightforward: block suspicious workbook delivery where possible, keep users out of unnecessarily privileged sessions, and install the July 2026 Office fixes across every affected edition.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for Excel 2016: July 8, 2025 (KB5002749) | Microsoft Support
Description of the security update for Excel 2016: July 8, 2025 (KB5002749)support.microsoft.com - Related coverage: caloes.ca.gov
</rdf:Alt> </dc:title> <dc:description> <rdf:Alt> <rdf:li xml:lang="x-default"/> </rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contra
</rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contractor) Melanie, Barlow@CalOESwww.caloes.ca.gov