On July 14, 2026, Microsoft released its monthly security updates, and among them is a critical fix for a high‑severity vulnerability in Excel, tracked as CVE‑2026‑55029. This heap‑based buffer overflow, carrying a CVSS score of 7.8, could let an attacker run malicious code on your computer just by convincing you to open a specially crafted spreadsheet. Although the attack itself requires local processing by Excel, the danger can arrive from anywhere — email, cloud storage, or a malicious website.

The Vulnerability at a Glance

CVE‑2026‑55029 is a classic memory‑corruption flaw — a heap‑based buffer overflow (CWE‑122) in Microsoft Office Excel. When Excel parses a workbook that’s been booby‑trapped with oversized data, it can spill past the allocated memory buffer, corrupting adjacent memory. A skilled attacker can weaponize that corruption to redirect the program’s execution and run arbitrary code with the privileges of the logged‑in user.

Microsoft’s CVSS 3.1 vector tells the technical story: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That means attack vector local, attack complexity low, no privileges required, user interaction required, scope unchanged, and high impact on confidentiality, integrity, and availability. At first glance, “local” seems to contradict the “remote code execution” label, but Microsoft clarifies the distinction: “Remote” describes where the attacker is — potentially anywhere in the world — while “local” describes how the exploit reaches the vulnerable component. The attacker doesn’t launch a direct network attack against Excel; instead, they rely on you to bring the poisoned file into Excel’s local execution context. This is the same pattern seen in countless document‑based Office attacks.

Who’s at Risk and What’s the Impact?

If you use any supported version of Microsoft Excel, you’re in the crosshairs. The advisory lists a long roster of affected products:
- Microsoft 365 Apps for Enterprise (all current channels)
- Excel 2016 (perpetual license, fixed with KB5002886, requiring build 16.0.5561.1001 or later)
- Office 2019, Office LTSC 2021, and Office LTSC 2024
- Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 (patched in version 16.111.26071215)
- Office Online Server (needs update to version 16.0.10417.20175)

Home users on Windows and Mac: If you get your Office through a Microsoft 365 subscription or a one‑time purchase and have automatic updates turned on, you’ve likely already received the fix. If you’re still on Excel 2016 without automatic updates, you’re especially vulnerable — that version requires a manual patch.

IT administrators in business settings: This is a patch‑now situation. Because user interaction is required, the primary delivery mechanism will be spear‑phishing or drive‑by downloads. Your email gateways, attachment sandboxes, and endpoint detection systems can block many attempts, but they won’t catch everything. Unpatched Excel is a wide‑open door. Prioritize pushing the July 2026 Office security update through your management tools (SCCM, Intune, WSUS). Don’t forget Mac workstations and any Office Online Server deployments — those are less visible but just as exposed.

What successful exploitation looks like: If an attacker manages to exploit this flaw, they gain the ability to install programs, view, change, or delete data, and create new accounts with full user rights — all in the context of the current user. If that user has administrative privileges, the attacker owns the machine. The “Important” severity rating from Microsoft reflects the required user interaction and local attack vector, not the magnitude of the damage.

How Did We Get Here?

This isn’t the first heap overflow in Excel, and it won’t be the last. Office applications have been a favorite target for attackers for decades because spreadsheets, documents, and presentations are shared so freely. The July 2026 Patch Tuesday cycle brought fixes for multiple products, but CVE‑2026‑55029 stands out because of its high impact and low attack complexity.

According to the Zero Day Initiative’s review of the same Patch Tuesday, there was no evidence of public disclosure or active exploitation when the update shipped. CISA’s initial assessment mirrored that. However, history shows that once a patch is reverse‑engineered, attackers quickly produce working exploits. The clock is ticking.

The heap‑based buffer overflow class itself underscores a painful reality: even after years of memory‑safe language campaigns, critical Office components are still written in C/C++ and still suffer from manual memory‑management bugs. Every Patch Tuesday brings a handful of these, and they almost always score high.

Immediate Steps to Protect Your System

1. Update now.
- Windows (Microsoft 365 or newer Office): Open any Office app, go to File > Account > Update Options > Update Now. Or run Windows Update and make sure “Receive updates for other Microsoft products” is enabled.
- Excel 2016 standalone: Download and install KB5002886 manually from the Microsoft Update Catalog, or run Windows Update. Verify the build number is 16.0.5561.1001 or higher (File > Account > About Excel).
- Mac: Open any Office for Mac app, click Help > Check for Updates. Make sure you get version 16.111.26071215 or later.
- Office Online Server: Administrators must deploy the July 2026 update to bring the server to at least version 16.0.10417.20175.

2. Verify the patch.
After updating, check the file version of Excel.exe (on Windows) or the application version (on Mac) to confirm the fix is in place. In managed environments, use your inventory tools to scan for vulnerable builds.

3. Strengthen defenses if you can’t patch immediately.
- Use Protected View: Excel opens files from the internet in read‑only mode by default. Train users not to click “Enable Editing” on suspicious files.
- Enable Mark of the Web (MOTW) enforcement: Windows attaches a zone identifier to files downloaded from the internet, and Office respects that. Do not bypass it.
- Deploy Attack Surface Reduction (ASR) rules in Defender for Endpoint: For example, block Office applications from creating child processes or injecting code.
- Isolate Office Online Server from the internet if not strictly necessary.

4. Tell your people. Communicate with end users: “If you get an unexpected Excel file in email, Teams, or a shared folder, don’t open it. Forward it to security.”

Looking Ahead

There’s no reason to believe this is the last Excel memory‑corruption bug. Microsoft’s shift toward cloud‑first, memory‑safe languages for new components is encouraging, but the legacy codebase will keep throwing up such issues for years. The July 2026 updates are out; make certain they’re installed everywhere. Security researchers and criminal groups are already analyzing the patch. The gap between fix and first exploit is often measured in days. Your best defense is a patch cycle measured in hours — and a healthy suspicion of any spreadsheet that lands in your inbox.