Microsoft has released security updates for Microsoft Excel that close a high-severity vulnerability allowing attackers to run malicious code on a victim's PC simply by persuading them to open a specially crafted spreadsheet. The flaw, catalogued as CVE-2026-55024, affects nearly every current version of Excel—from Microsoft 365 subscriptions down to Excel 2016, plus Mac and Office Online Server—and earned a CVSS 3.1 base score of 7.8. The patches arrived on July 14, 2026, and administrators have a narrow window to deploy them before exploitation attempts start ramping up.
The July Patch: What Microsoft Fixed
CVE-2026-55024 is a type confusion vulnerability, described officially as Excel accessing a resource using an incompatible type. In practice, that means when Excel opens a malicious workbook, the parsing engine can be tricked into misinterpreting data, corrupting memory in a way that lets an attacker execute arbitrary code. Microsoft says an unauthorized attacker would gain the same rights as the logged-in user, making account privilege a critical factor—a standard user limits the blast radius, while an admin-level compromise could hand over full device control.
The July patch bundle addresses this bug across a broad product landscape:
- Microsoft 365 Apps for Enterprise receives the fix through its regular update channel; the specific build depends on whether you're on Current, Monthly Enterprise, or Semi-Annual channels. No separate download is necessary for Click-to-Run installations.
- Excel 2016 (MSI-based editions) gets a dedicated update, KB5002886, which brings the application to version 16.0.5561.1001. The update replaces KB5002865 and includes fixes for several other Excel vulnerabilities disclosed in July.
- Office 2019, Office LTSC 2021, and Office LTSC 2024 are also affected; Microsoft advises installing the applicable July security updates through Microsoft Update or the Update Catalog.
- Microsoft 365 and Office LTSC for Mac must be updated to version 16.111.26071215 or later. Mac users should check for updates via Microsoft AutoUpdate.
- Office Online Server installations running a version older than 16.0.10417.20175 should apply KB5002884 immediately. That update resolves CVE-2026-55024 along with several other Excel-related flaws.
Microsoft has not made public a proof-of-concept, sample file, or technical deep dive. The only detail available is the type confusion classification, which is enough to understand the vulnerability's nature but not to build a detection signature based on file artifacts. Security teams should assume that exploit material will appear after researchers and threat actors compare patched and unpatched Excel binaries—a process that typically takes days or weeks.
Who's at Risk—and Why You Can't Just Block Macros
Despite the "remote code execution" label, CVE-2026-55024 isn't a network-reachable bug. The CVSS vector (AV:L/AC:L/PR:N/UI:R) makes clear that exploitation requires local access to a file and user interaction—you must open a malicious spreadsheet. The classic delivery method is phishing: an invoice, a purchase order, a tax form, or any other business document designed to trick you into double-clicking.
That user-interaction requirement is why the score is High (7.8) rather than Critical (9.0+). But it doesn't make the vulnerability toothless. In enterprise environments, attackers routinely send targeted messages with convincing lures, and a single unsuspecting click can initiate a full network intrusion.
Importantly, macros are not the problem here. Type confusion vulnerabilities arise from how Excel parses data, not from Visual Basic code. That means even if your organization has macro-blocking policies in place—no VBA execution, forced Protected View, or disabled ActiveX controls—a malicious workbook without macros can still trigger the flaw. Until the patch is deployed, there is no complete software-based mitigation. User awareness and email sandboxing help, but they are stopgaps, not guarantees.
The attack surface expands when you consider collaboration tools. A compromised workbook shared via SharePoint, Teams, OneDrive, or a cloud storage link can reach users who trust internal file-sharing channels. Office Online Server introduces an additional vector: unpatched servers could process malicious files server-side, although Microsoft hasn't described a specific attack scenario. Still, organizations running that product should patch it with the same urgency as client endpoints.
Patching Your Excel: A Platform-by-Platform Guide
Getting protected isn't complicated, but it's not uniform across all Excel flavors. Here's exactly what to check and install depending on your environment.
For Microsoft 365 Apps (Windows)
Microsoft 365 subscriptions receive updates automatically via the Office Click-to-Run engine. To verify you're on a patched build:
1. Open any Office application, go to File > Account.
2. Under Product Information, note the version number and update channel.
3. For all channels, any build dated July 14, 2026, or later contains the fix.
If automatic updates are paused or deferred by policy, administrators should force an update through the deployment tool (e.g., with C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe /update user).
For Excel 2016 (MSI-based installations)
These are the standalone, volume-licensed editions frequently found in enterprises. Download and install KB5002886 from the Microsoft Update Catalog, Windows Update, or by clicking File > Account > Update Options > Update Now. After installation, confirm the Excel version: go to File > Account > About Excel and ensure it reads 16.0.5561.1001 or higher.
For Office 2019 and Office LTSC (2021/2024)
These products also receive updates through Microsoft Update or WSUS. Windows Update will offer the July 2026 security rollup; alternatively, admins can manually download the full-file patches from the Update Catalog using the respective KB numbers published in the July security release notes.
For Mac
Microsoft AutoUpdate should download version 16.111.26071215 or later. Open any Office app, go to Help > Check for Updates, and let the utility run. Restart all Office apps afterward.
For Office Online Server
Install KB5002884 to reach version 16.0.10417.20175. As with all server patches, schedule a maintenance window and perform a backup first. Verify the version by running the following PowerShell command after the update:
(Get-Item "C:\Program Files\Microsoft Office Server\*\Bin\Microsoft.Office.Server.dll").VersionInfo.FileVersion
Validation for Large Fleets
IT administrators can use configuration management tools (SCCM, Intune, WSUS) to query the installed version of Excel across the estate. The key versions to look for:
- Excel 2016: 16.0.5561.1001
- Excel 2019 / LTSC: check for the July 14, 2026 build date
- Microsoft 365: look for version stamps from July 14 or later
- Mac: 16.111.26071215
- Office Online Server: 16.0.10417.20175
The Bigger Picture: Office Phishing Attacks Still Work
CVE-2026-55024 didn't emerge in isolation. Microsoft's July 2026 Patch Tuesday included fixes for multiple Excel remote code execution and information-disclosure vulnerabilities, underscoring that Office remains a favored attack vector. The company hasn't disclosed whether this vulnerability was reported through its bug bounty program, a security researcher, or internal discovery, but the timing aligns with a regular monthly cadence.
There is no evidence yet of active exploitation in the wild. CISA's initial Stakeholder-Specific Vulnerability Categorization (dated around the time of disclosure) flagged the flaw as not exploited and not automatable. That assessment might change. Researchers often take the first few weeks after a patch release to reverse-engineer the fix, develop a working exploit, and sometimes publish it publicly. For enterprise defenders, the window between patch availability and exploit availability is shrinking.
The attack model for these types of Office vulnerabilities has remained consistent for years: a phishing email carries a tainted attachment, a user opens it, and the payload triggers before the user notices anything amiss. Because the file can look entirely legitimate—a formatted spreadsheet with real-looking data—it bypasses many email filters that rely solely on file extension or macro detection. That's why patching is the only robust defense.
For organizations that cannot patch immediately, compensating controls should include:
- Enforcing Protected View for all files opened from untrusted locations.
- Configuring Microsoft Defender for Office 365 to detonate attachments in a sandbox before delivery.
- Educating users not to open spreadsheets from unknown senders, even if the file appears innocuous.
- Restricting execution privileges on endpoints so that standard users cannot install software or write to system directories.
None of these measures are as effective as the patch itself, but they may buy a few extra hours during a real campaign.
What to Watch For Next
The critical moment for CVE-2026-55024 is still ahead. Within the next 30 to 60 days, expect one or more of the following to happen:
- Security vendors release detection signatures for malicious files exploiting the type confusion.
- A researcher publishes a technical write-up or proof-of-concept code.
- The vulnerability gets added to exploit frameworks like Metasploit.
- Microsoft updates its advisory with additional mitigation guidance if active attacks are detected.
In the meantime, patching all Excel instances should be at the top of your security budget for this month. The vulnerability is confirmed, the fix is simple, and the cost of delay could be a full-system compromise.