Microsoft’s July 2026 Patch Tuesday landed on July 14, and among the fixes is a vulnerability in Excel that security teams and everyday users should take seriously. Designated CVE-2026-55039, the flaw received a CVSS 3.1 base score of 7.8 and an “Important” severity rating from Microsoft. While an attacker needs to trick you into opening a booby-trapped spreadsheet, the consequences can be severe: full control over your computer if the attack succeeds.
The vulnerability affects a sweeping list of Office versions—from Microsoft 365 apps to Excel 2016, Office 2019, and even Office for Mac. A successful exploit could let an attacker run code with your permissions, potentially installing programs, stealing data, or moving laterally across a corporate network. The good news: the fix is out, and you can apply it right now.
How the Bug Works: An Integer Underflow
Under the hood, CVE-2026-55039 stems from an integer underflow (CWE-191) that can lead to a heap-based buffer overflow (CWE-122) when Excel parses a maliciously crafted workbook. An integer underflow happens when a calculation produces a number lower than the minimum value the program’s memory can hold. Instead of a negative result, the value wraps around to a very large positive number. Imagine a car odometer rolling over: if you somehow drive in reverse, it might show 999,999 miles instead of a negative distance. In a computer, that unexpectedly huge number can then corrupt memory allocation.
When Excel opens a file designed to exploit this, the faulty arithmetic can allow an attacker to overwrite critical memory structures and redirect program execution to attacker-controlled instructions. Microsoft hasn’t publicly released technical details or a proof-of-concept, but the CVE’s impact ratings—high across confidentiality, integrity, and availability—confirm that the outcome is more than a simple crash. In the worst case, an attacker’s arbitrary code runs in the context of the current user.
What’s Affected: A Broad Patch Rollout
CVE-2026-55039 hits multiple Microsoft Office editions. The security update guide lists these affected products:
- Microsoft 365 Apps for enterprise
- Excel 2016 (both retail and volume license)
- Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Microsoft 365 for Mac
- Office for Mac
- Office Online Server
For Excel 2016, Microsoft released KB5002886, which brings the build to 16.0.5561.1001 or later. Office Online Server gets patched through KB5002884, with build 16.0.10417.20175. Mac users should look for version 16.111.26071215 or higher, delivered via Microsoft AutoUpdate. If you’re on Microsoft 365 Apps (the subscription version), updates roll out through your configured update channel—typically Click-to-Run—so ensure that channel isn’t paused. Standalone MSI-based installations must be patched manually if automatic updates are turned off.
IT administrators should verify deployment thoroughly. A PC that shows “Windows is up to date” doesn’t automatically mean Office is current. Run Excel and check File > Account > About Excel to confirm the build number matches the fixed thresholds. For Office Online Server farms, apply the patch and restart services accordingly.
Remote Code Execution, Local Vector: Clearing Up the Confusion
The CVE title calls this “remote code execution,” but the CVSS vector shows an attack vector of Local (AV:L). That mismatch can confuse anyone reading the advisory. Microsoft addresses this directly in its Security Update Guide FAQ: “The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”
In simpler terms: the attacker can be anywhere—sending a phishing email from another continent—but the vulnerability is triggered when Excel processes the file on your machine. That’s considered “local” in CVSS terms because no network connection is needed to exploit the software bug itself. The CVSS vector for CVE-2026-55039 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) spells out the practical implications:
- Attack Vector (Local): You must open the file on your computer; it’s not a network worm.
- Attack Complexity (Low): Once you open the file, exploiting it is relatively straightforward for the attacker.
- Privileges Required (None): The attacker doesn’t need a prior account on your system.
- User Interaction (Required): You must take an action—like double-clicking an attachment—to start the exploit.
- Scope (Unchanged): The attack doesn’t hop to other security boundaries.
- Impact (High for all): Full compromise of confidentiality, integrity, and availability.
The key takeaway: this isn’t a vulnerability that can be exploited by someone scanning the internet for exposed computers. An attacker needs you to open a harmful workbook. But once you do, they could gain the same access you have—administrator rights if you’re logged in as admin, making the damage worse.
How an Attack Might Play Out
Attackers typically deliver malicious Excel files through email, instant messaging, shared cloud storage links, or compromised websites. An invoice, resume, budget report, or any document that encourages immediate clicking makes an effective lure. Because the file format is trusted, many users don’t think twice before opening a spreadsheet from what looks like a known contact.
Security teams should consider the attack chain: the file arrives via email (bypassing simple filters if it’s a lightly obfuscated XLS or XLSX), Outlook may show a preview that triggers the vulnerability (if preview pane is enabled and the file is processed), and then Excel launches—potentially spawning child processes like PowerShell to download additional payloads. The CVE doesn’t require macros to be enabled; the flaw lies in how Excel handles workbook data.
After patching, monitor for any unexpected Excel crashes. While a crash alone doesn’t prove exploitation, it could be a canary. Investigate any instances of EXCEL.EXE spawning suspicious child processes (cmd.exe, powershell.exe, mshta.exe, rundll32.exe, wscript.exe). Defense tools like Microsoft Defender’s Attack Surface Reduction (ASR) rules can help block such behavior even before patching.
What to Do Now: Steps for Every User
For home users and individuals:
1. Apply the update immediately. On Windows, open any Office application, go to File > Account > Update Options > Update Now. On Mac, run Microsoft AutoUpdate. Restart apps afterward.
2. Verify your build. After updating, check the version number in Excel’s account settings to match the fixed builds mentioned earlier.
3. Be wary of unexpected attachments. Even if a file seems to come from a colleague or friend, confirm via another communication channel if you weren’t expecting it. The old advice holds: “When in doubt, don’t open it.”
For IT and system administrators:
1. Deploy patches through your standard tools—WSUS, SCCM, Intune, or third-party patch management. Prioritize machines where users frequently handle external spreadsheets.
2. Check Office Online Server separately. It’s often forgotten. Apply KB5002884 and verify the build reaches 16.0.10417.20175.
3. Temporarily tighten email filters to quarantine XLS, XLSX, XLSM, and XLSB attachments from external senders, if business rules allow. This reduces phishing risk while patches roll out.
4. Consider enabling ASR rules that block Office apps from creating child processes, and blocking executable content from Office communication apps. These rules don’t prevent the initial exploit but can cripple post-exploitation actions.
5. Preserve Mark of the Web: Ensure files downloaded from the internet retain their MOTW zone identifier. Many exploitation attempts fail when Office enforces Protected View for internet-origin files.
6. Audit user privileges. Since the attack runs with the victim’s permissions, enforce least-privilege for everyday accounts. Remove local admin rights where possible.
7. Monitor for exploitation. Look for endpoint detection alerts involving Excel spawning unusual processes. Collect and analyze any suspicious workbooks that trigger crashes.
8. Patch macOS office installations. Don’t overlook Macs. Use Microsoft AutoUpdate or the latest Microsoft 365/Mac installer.
For developers and security researchers:
- While no PoC is public yet, this vulnerability type—integer underflow in a file parser—is a classic pattern. If you write code that processes binary file formats, validate all arithmetic operations on size fields. Use safe integer libraries to prevent wraparound errors.
How We Got Here: Office Patching in Context
CVE-2026-55039 was patched as part of Microsoft’s regular July 2026 security release cadence. Historically, Office client vulnerabilities with UI:R requirements are common: they rely on user trust rather than network flaws. The shift to cloud-based collaboration (Teams, OneDrive) has only broadened the attack surface, as users often open shared files without a second thought.
This isn’t the first integer underflow in Office, and it won’t be the last. Microsoft’s Security Development Lifecycle (SDL) catches many such bugs, but file format parsers remain fertile ground for memory safety issues. The move to 64-bit Office and the gradual integration of memory-safe languages may reduce these over time, but for now, patching and user training are the front lines.
What’s Next
As of this writing, Microsoft hasn’t reported active exploitation of CVE-2026-55039. But given that a working exploit could be reverse-engineered from the patch, it’s only a matter of time before threat actors begin crafting attacks. The window between Patch Tuesday and wide deployment is always a race. Organizations that delay updates face the highest risk. Stay alert for any future advisories from Microsoft regarding in-the-wild detection, and apply the July 14 fix without delay.