On July 14, 2026, Microsoft’s monthly security release addressed a high-severity remote code execution vulnerability in Excel that could allow an attacker to take over a PC simply by convincing someone to open a malicious workbook. The flaw, tracked as CVE-2026-55044, earned a 7.8 CVSS score and affects nearly every modern version of Office, from Excel 2016 to Microsoft 365 Apps for enterprise and the latest Office LTSC releases. Microsoft has rated the vulnerability “Important” and “Exploitation Less Likely,” but the patch is urgent nonetheless—file-format attacks remain a favorite entry point for phishing campaigns.
The Flaw and the Fix
The security hole stems from an out-of-bounds read (CWE-125) in the way Excel parses certain file structures. An attacker who crafts a special workbook can trigger memory corruption and execute arbitrary code with the permissions of the logged-in user. The attack requires user interaction: a target must open the poisoned file. Once that happens, the CVSS vector notes, the impact to confidentiality, integrity, and availability is high.
Microsoft shipped separate updates for different Office editions. The most prominent is KB5002886, which brings MSI-based Excel 2016 to version 16.0.5561.1001 and closes the vulnerability along with several other memory-safety issues in the July release. Click-to-Run installations of Microsoft 365 Apps, Office LTSC 2021, and Office LTSC 2024 automatically receive the fix through their normal update channels. For Mac users, Microsoft 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024 are patched in version 16.111.26071215. Office Online Server gets its remedy via KB5002884, which lifts the server to build 16.0.10417.20175.
Microsoft’s Security Update Guide confirms the vulnerability was neither publicly disclosed nor seen in active attacks at the time of release. The NVD entry remained under analysis as of July 15, but already echoed Microsoft’s severity ratings and product list.
Who’s Affected and What’s the Real Risk?
The list of vulnerable software is broad:
- Microsoft 365 Apps for enterprise (32- and 64-bit) on Windows
- Excel 2016 (32- and 64-bit) before version 16.0.5561.1001
- Office 2019
- Office LTSC 2021 and Office LTSC 2024 (32- and 64-bit)
- Microsoft 365 for Mac, Office LTSC for Mac 2021, Office LTSC for Mac 2024 before version 16.111.26071215
- Office Online Server before version 16.0.10417.20175
“Remote code execution” sounds as if an attacker can reach out across the network, but the reality is more constrained. The CVSS vector classifies the attack vector as “Local,” meaning the malicious code must first arrive on the target machine—usually via email, a shared cloud link, or a download. Still, the “Low” attack complexity and “None” privilege requirements mean that once the workbook is opened, exploitation is straightforward. Code runs in the victim’s user context. On a standard account, damage is limited to what that user can access; on an admin account, the attacker could gain full control of the system.
That distinction underscores why everyday computing should happen under a standard (non-administrator) account. It won’t prevent the initial compromise, but it can severely limit what a successful attack can do. For enterprise environments, this is also a reminder that Excel components may be present even on machines where users rarely touch spreadsheets. Old MSI Office 2016 installations often linger alongside newer click-to-run versions, and Office Online Server can be overlooked in patch cycles that focus on Windows endpoints.
A Closer Look at CVE-2026-55044
Microsoft classifies the vulnerability as “Important,” not “Critical,” precisely because exploitation demands user interaction. The exploitability assessment is “Exploitation Less Likely,” a judgment based on the absence of public proof-of-concept code or in-the-wild attacks. That rating, however, offers only temporary comfort. File-format vulnerabilities in Office are perennial tools for phishing operators. A malicious workbook can be disguised as an invoice, a report, or a routine spreadsheet, and it may pass through several hands—including security-aware colleagues—before reaching the final victim.
The underlying bug is an out-of-bounds read. When Excel processes a malformed file, it reads memory outside a buffer boundary, which can lead to arbitrary code execution. Microsoft’s technical confidence for the advisory is “Confirmed,” meaning the vendor has acknowledged the flaw and provided enough detail to identify the weakness. The CWE-125 classification ties it to a class of memory-safety errors that have historically been weaponized in Office-based attacks.
The Broader July 2026 Patch Context
CVE-2026-55044 did not arrive in isolation. Microsoft’s July 2026 Patch Tuesday was unusually large, fixing 570 vulnerabilities across its product line, 145 of which were remote code execution flaws. That volume risks burying individual Office fixes under a mountain of Windows updates. For organizations that prioritize Windows Server or workstation patches, it’s easy to defer an Office security release, especially when the advisory lacks an active-exploitation flag. That would be a mistake. Excel is a ubiquitous part of business workflows, and a single unpatched installation can serve as a pivot point for wider network intrusion.
How to Update and Protect Yourself
Home users should enable automatic updates for Microsoft 365 or Office. Confirm the fix by checking Excel’s version number:
- Windows (Microsoft 365 / LTSC): Go to File > Account > About Excel. Click-to-Run builds will update automatically; verify you’re on a build released on or after July 14, 2026.
- Windows (MSI-based Excel 2016): Run Windows Update, or manually install KB5002886. After installation, Excel’s version should display 16.0.5561.1001.
- Mac: Open Excel, go to Help > Check for Updates, or run Microsoft AutoUpdate. The patched version is 16.111.26071215 or later. On laptops where updates are often postponed, manually trigger the check.
IT administrators need a broader approach:
- Inventory all Office installations: Look for Excel 2016 MSI, Office 2019 (which left mainstream support in October 2025 but is still listed as affected), Click-to-Run Microsoft 365 Apps, and Office LTSC 2021/2024. Don’t assume that users who primarily work in Word or Outlook lack Excel components.
- Patch Office Online Server: Apply KB5002884 to bring the server to version 16.0.10417.20175. This server component often follows a different update cadence than desktop Office.
- Verify Mac endpoints: Enterprise Macs may not update automatically if Microsoft AutoUpdate is suppressed or if users delay restarts. Use management tools to force the update to 16.111.26071215.
- Reinforce complementary defenses: While patching is the only complete fix, relevant security layers include:
- Protected View: Ensures files from the internet open in a sandboxed mode.
- Microsoft Defender SmartScreen: Blocks files from untrusted sources.
- Attachment scanning: Mail filters can quarantine suspicious Excel files.
- Attack Surface Reduction rules: Rules such as “Block Office applications from creating child processes” can thwart post-exploitation actions.
- Least-privilege accounts: Limit users to standard accounts where feasible. - Monitor for suspicious activity: After patching, check logs for Excel spawning unusual child processes (cmd.exe, powershell.exe, wscript.exe) or network connections to unfamiliar hosts. Telemetry can reveal threats that bypassed earlier defenses.
The Bottom Line
Microsoft’s advisory gives security teams a head start: no public disclosure and no active attacks. But the combination of low attack complexity and the everyday nature of Excel workbooks means the window may not stay open long. Phishing operators are quick to adopt file-format exploits once details become available. The large patch volume for July 2026 creates a risk that organizations will deprioritize an Office update that lacks a “critical” banner. Don’t let that happen. The steps are straightforward: verify Excel versions, apply KB5002886 or the corresponding click-to-run update, and ensure Office Online Server and Mac installations aren’t left behind. In a world where one malicious spreadsheet can lead to a full-blown breach, a quick patch today beats an incident response tomorrow.