On July 14, 2026, Microsoft dropped its monthly security patches, and one of them fixes a dangerous hole in Excel. Designated CVE-2026-55947, the vulnerability lets an attacker craft a rogue spreadsheet that, when opened, executes malicious code—potentially giving them the same control over your PC as the person who opened the file. The company rates this one Important and gives it a CVSS 3.1 score of 7.8, which lands in the “High” severity range.

Unlike some remote code execution flaws that can hit a computer without any user interaction, this one requires you to open a doctored Excel file. But because spreadsheets are exchanged daily in business, the threat is very real. Here’s what you need to know, who’s affected, and how to stay safe.

The Nuts and Bolts of the Flaw

At its core, CVE-2026-55947 is a heap-based buffer overflow (CWE-122). That means when Excel processes a file with specially altered contents, it writes beyond the memory it has reserved, corrupting adjacent data. Skilled attackers can shape that memory tampering to hijack the program’s execution flow, turning a simple file into a weapon.

Microsoft’s advisory confirms that the attack vector is local (AV:L in CVSS-speak), which puzzles some people because the title says “remote code execution.” The company clarifies: “remote” refers to the attacker’s location—they can be anywhere on the internet—while “local” means the exploit fires only when the vulnerable Excel process runs on the victim’s machine. Attackers send the booby-trapped file via email, download links, or cloud shares; the victim must open it.

The full CVSS vector lays out the path: low attack complexity (no special conditions needed), no privileges required, but user interaction is mandatory (the victim must open the file). The scope is unchanged, so the exploit works within Excel’s existing security boundaries. However, impact is high across confidentiality, integrity, and availability—success means the attacker can likely read, change, and lock down data accessible to the logged-in user.

How the Attack Plays Out in the Real World

Imagine an accounts payable clerk receives an email with an Excel invoice from “a vendor.” The attachment looks routine. Double-click it and, if the machine hasn’t been patched, the attacker’s code runs. Because the exploit inherits the user’s privileges, a standard account might limit the damage, but an administrator-level account hands over the keys to the kingdom.

The attacker doesn’t need prior access to the network. They merely need one person to interact with the file. Phishing emails, fake download sites, or even shared folders in collaboration apps could deliver the malicious workbook. And because Excel files are common in business, security tools might not flag them as aggressively as, say, an executable.

Who’s Affected: A Broad List of Office Versions

CVE-2026-55947 touches a wide swath of Microsoft’s Office ecosystem. According to Microsoft’s update guide, the following editions are patched:

  • Microsoft 365 Apps for Enterprise (32-bit and x64 on Windows)
  • Excel 2016 (builds before 16.0.5561.1001 are affected)
  • Office 2019
  • Office LTSC 2021
  • Office LTSC 2024
  • Microsoft 365 for Mac (requires version 16.111.26071215 or later)
  • Office LTSC for Mac 2021 and 2024
  • Office Online Server (must be at least build 16.0.10417.20175)

This last entry is critical: Office Online Server is a server-side component that can parse Excel content for web-based viewing or editing. If your organization runs it, don’t assume the fix is desktop-only. Patching the server closes a backdoor that could be exploited simply by users uploading or rendering a malicious file through a portal.

For most consumers using Microsoft 365, the update should arrive automatically through the app’s built-in update channel. But as any IT pro knows, automatic doesn’t always mean instantaneous. On managed devices, deployment rings, maintenance windows, or third-party update tools can delay installation. And if you’re still running a standalone version like Excel 2016, you’ll need to grab the patch from Windows Update or the Microsoft Download Center.

How We Got Here: The Long History of Excel Exploits

Office document-borne threats are as old as the macro virus. In recent years, memory-corruption bugs in Excel have been a staple of state-sponsored and cybercriminal groups alike. The 2015 “Equation Editor” series, the 2017 CVE-2017-11882 exploit kit favorite, and the 2021 CVE-2021-42292 zero-day all followed the same recipe: send a file, get the user to open it, run code.

Microsoft’s own mitigation technologies—Protected View, Application Guard, and Attack Surface Reduction rules in Defender—have raised the bar, but determined attackers keep finding new parsing flaws. The heap-based overflow class remains potent because modern exploit mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) can sometimes be bypassed with careful heap grooming.

That Microsoft rated CVE-2026-55947 “Important” rather than “Critical” reflects the required user interaction. The company’s Exploitability Index labels it “less likely” to be exploited, according to a roundup by BleepingComputer. In its initial assessment, CISA recorded no known exploitation, though the potential technical impact is total. Those assessments aren’t a reason to delay patching; they are an indicator that, as of release, no one had publicly reported attacks using this particular flaw.

What to Do Now: Patch, Protect, and Stay Skeptical

1. Update immediately. If you’re an individual user on Windows or Mac, open Excel, go to File > Account > Update Options > Update Now. For managed fleets, verify that the July 2026 security updates for Office have been deployed. Check Excel’s build number: should be 16.0.5561.1001 or later on Windows for Excel 2016; for Microsoft 365, the update will appear as the latest Current Channel or Monthly Enterprise Channel build with the fix.

2. Treat every Excel file from outside as potentially dangerous. Even with the patch, threat actors often chain exploits with other techniques. Turn on “Block macros from running in Office files from the internet” via Group Policy or the Trust Center. Use Protected View, which opens documents in a sandboxed, read-only mode by default.

3. Use layered defenses. Email filters should strip or flag attachments with embedded ole objects, macros, or suspicious structures. Microsoft Defender for Office 365 offers Safe Attachments that detonates files in a virtual environment. Application control policies—like Windows Defender Application Control or AppLocker—can prevent untrusted executables from running, limiting what an exploit can do.

4. Run with least privilege. Remove local admin rights from daily accounts. An exploit that runs code as a standard user faces a steeper climb to install persistence or move laterally. Combine that with endpoint detection and response (EDR) tools that flag unusual process creation from Excel.

5. Patch Office Online Server. If your organization uses it, identify the build and apply the corresponding update from the Microsoft Update Catalog. A forgotten server-side component can leave a persistent route for attackers who target your web-based document editing platform.

Outlook: Stay Alert, Not Alarmed

No active attacks have been spotted for CVE-2026-55947 yet. But the window between a patch’s release and the first exploitation attempts often shrinks. Adversaries can reverse-engineer the fix to craft working exploits within days. The document-based attack model remains popular because it bypasses network firewalls and targets the human element.

Watch for further guidance from Microsoft’s threat intelligence teams. Meanwhile, a patched Excel is your first line of defense—don’t let it become the weakest link.