Microsoft issued a security fix on July 14, 2026, for a flaw in Excel that can give attackers full control of a PC when a victim opens a poisoned spreadsheet. The vulnerability, tracked as CVE-2026-50675, earned a 7.8 CVSS 3.1 score and the “Important” severity rating from Microsoft. If left unpatched, it allows remote code execution through nothing more than a malicious Excel file—no macros, no prompts, just a routine double-click.
The Vulnerability at a Glance
CVE-2026-50675 is a heap-based buffer overflow (CWE-122) in the way Microsoft Office Excel parses workbook files. When Excel opens a specially crafted spreadsheet, the flaw can corrupt memory in a way that hands control to an attacker. From there, the attacker can run arbitrary code with the same rights as the logged-in user. If that user has administrative privileges, the attacker owns the machine.
The CVSS vector tells the full story: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That’s a local attack vector, low attack complexity, no privileges required, and user interaction required. Once exploited, the impact is high across confidentiality, integrity, and availability. In plain English: an attacker can send you a weaponized Excel file, and if you open it, the game is over.
Microsoft’s advisory explicitly calls this a remote code execution (RCE) vulnerability, which can confuse anyone who looks at the “local” attack vector. The company explains that “remote” refers to the attacker’s location—they can be anywhere in the world when they deliver the file—while the attack itself happens locally, inside Excel’s own parsing engine. Security researchers sometimes call this class of bug “arbitrary code execution” or ACE. The distinction matters for prioritizing defenses, but for the average user, the takeaway is grim: opening a booby-trapped spreadsheet is enough to get hacked.
Who’s at Risk
The list of affected products runs long and covers practically every supported version of Office:
- Microsoft 365 Apps for Enterprise (Windows)
- Excel 2016
- Office 2019
- Office LTSC 2021
- Office LTSC 2024 (Windows)
- Microsoft 365 for Mac
- Office LTSC for Mac 2021
- Office LTSC for Mac 2024
- Office Online Server
If you use any of those—and the odds are high that you do—you need the patch. The flaw does not discriminate between business and home users, though business environments are typically bigger targets because they hold more valuable data and because spreadsheets are standard tools for finance, HR, and executive reporting. An attacker can easily disguise a malicious workbook as an invoice, a budget template, or a salary sheet. The required user interaction means the bad guys rely on social engineering, but given how often people open attachments without a second thought, that’s a low bar to clear.
Mac users are not immune. Office for Mac shares enough code with its Windows sibling that this parsing vulnerability crosses platforms. Office Online Server, which powers Excel in a browser for some organizations, is also listed. That means an attacker could potentially exploit the flaw by hosting a malicious file and tricking someone into opening it in Excel Online, though Microsoft has not publicly released details on that attack vector.
How We Got Here
Document-based code execution is a perennial headache. Over the years, flaws in Word, Excel, and even Adobe Acrobat have given attackers a foothold through nothing more than a file. The 2026 Excel bug fits the same mold, but it’s notable for its simplicity: no macros, no ActiveX controls, no warnings that would tip off a cautious user. It’s a straight parser memory corruption, so Excel doesn’t realize it’s handling a weapon until it’s too late.
Microsoft’s Security Response Center published the advisory on July 14, 2026, as part of its regular Patch Tuesday cycle. The company’s own CVSS score of 7.8 falls in the “High” range, not “Critical,” because exploitation requires user interaction and the attack vector is local. But don’t let the label fool you: a successful attack can compromise the entire system, not just Excel. And because no privileges are needed to pull the trigger, a standard user account is all an attacker needs to get started.
The advisory also notes that this type of vulnerability may be referred to as arbitrary code execution. That’s a reminder that “remote” doesn’t always mean an internet-facing server flaw. Client-side applications are a favorite target precisely because users are the weakest link. A phishing email with a malicious attachment is often all it takes.
What You Need to Do Now
1. Update Microsoft Office immediately
The fix arrived in the July 14, 2026 security updates. Getting it depends on your Office installation:
- Microsoft 365 Apps (Windows): Open any Office app, go to File > Account > Update Options > Update Now. Or let automatic updates run their course—but waiting is risky.
- Office 2016, 2019, LTSC 2021, LTSC 2024 (Windows): Use Windows Update or the Microsoft Update Catalog. These perpetual-license versions get patches through the standard Microsoft Update mechanism, just like Windows.
- Office for Mac: Open any Office app, click Help > Check for Updates. This launches Microsoft AutoUpdate, which downloads and installs the latest patches. You can also download the latest updater directly from Microsoft.
- Office Online Server: Admins should apply the latest security updates for Office Online Server through their normal patch management process. Microsoft provides standalone .msi updates for server products.
IT administrators managing fleets of devices should push the update through WSUS, System Center Configuration Manager, or Microsoft Intune. Don’t assume that Windows Update alone covers Office—verify that Office-specific updates are approved. Check your update rings for Microsoft 365 Apps, too: some organizations defer updates by days or weeks, and CVE-2026-50675 is not a bug you want to sit on.
2. Consider additional layers of defense
Patching is the only complete fix, but these steps reduce your exposure while you roll out updates:
- Enable Protected View. Office opens files from the internet or email in read-only mode by default. Don’t disable it. This might not block the vulnerability entirely if the file is opened in edit mode later, but it adds friction.
- Use Office macro warnings. While this bug doesn’t require macros, keeping macro execution disabled or restricted stops a whole category of other attacks. Excel’s default setting blocks macros on internet-sourced files unless the file comes from a trusted location.
- Block risky file types at the perimeter. Email gateways should quarantine \.xls, \.xlsx, \.xlsm, and other Office formats from untrusted sources. Same goes for web proxies and attachment sandboxing tools.
- Run an endpoint detection and response (EDR) solution. Look for suspicious child processes spawning from Excel.exe—unexpected instances of powershell.exe, cmd.exe, or wscript.exe, for example. This behavior is a strong indicator of document-borne code execution.
- Follow the principle of least privilege. If users don’t have local administrator rights, an attacker who exploits this flaw gains only limited access. That makes lateral movement harder and buys your security team time.
3. Train users
It sounds obvious, but tell people not to open unexpected attachments, even if they appear to come from a colleague. Phishing is the most likely delivery mechanism. The malicious file could be named anything—”Invoice_July2026.xlsx” or “Budget_draft.xlsm”—and look perfectly normal at first glance.
Looking Ahead
Microsoft hasn’t reported active exploitation of CVE-2026-50675 as of this writing, but that can change overnight. High-severity Office vulnerabilities have a way of getting weaponized once patch details become public. The July 2026 Patch Tuesday also included fixes for other Office components, so applying the entire batch is smart.
The Excel flaw is a stark reminder that document files are not inert. They are containers for data that a complex parser must interpret, and complexity breeds bugs. Microsoft’s shift to cloud-first development with Microsoft 365 means Office apps are updated more frequently than ever, but it also means users and admins must stay on top of those updates. This patch is one you don’t want to skip.