On July 14, 2026, Microsoft shipped security updates that close a heap-based buffer overflow in Excel that lets attackers hijack computers through booby-trapped spreadsheets. The vulnerability, tracked as CVE-2026-55137, carries an “Important” rating and a 7.8 CVSS score. What makes it especially dangerous is that an attacker doesn’t need to be sitting at your desk; they only need to convince you—or someone in your organization—to open a poisoned Excel workbook.

Microsoft’s advisory is clear: “The word Remote in the title refers to the location of the attacker.” The actual attack happens on your local machine the moment Excel tries to parse the malicious file. That subtle distinction often trips up IT teams, so let’s break down exactly what this update fixes, which devices are affected, and the step-by-step actions you should take today.

What’s in the July 2026 Excel Security Update

The heart of CVE-2026-55137 is a heap-based buffer overflow (CWE-122). When Excel processes a specially crafted file, improper bounds handling lets an attacker overwrite memory, redirect execution, and run arbitrary code with the same permissions as the logged-in user. Microsoft’s CVSS 3.1 vector breaks the risk down precisely:

  • Attack Vector: Local (AV:L) – exploitation requires the file to be opened on the target machine
  • Attack Complexity: Low (AC:L) – no specialized conditions needed beyond the malicious file
  • Privileges Required: None (PR:N) – the attacker doesn’t need an existing account
  • User Interaction: Required (UI:R) – the victim must open the file
  • Scope: Unchanged (S:U) – the vulnerable component and impact stay within Excel’s security context
  • Impact: High for confidentiality, integrity, and availability (C:H/I:H/A:H)

That UI:R element is the key: simply being on the same network isn’t enough. An attacker must get you to open a file—via email, a shared folder, a cloud link, or any other delivery channel. Once you do, the buffer overflow can turn that click into a full system compromise.

Microsoft describes the issue as a “remote code execution” vulnerability because the attacker remains remote throughout the entire operation—they never need physical access. In practice, the industry often calls this Arbitrary Code Execution (ACE). The term fits, because the real threat is complete control over the machine after the file loads.

Which Versions of Office Are Affected

The patch touches a broad swath of the Office ecosystem. According to Microsoft’s Security Response Center, the following products need to be updated:

Product Affected Version Fixed Build/Boundary
Microsoft 365 Apps for Enterprise (32-bit and 64-bit Windows) All prior to July 2026 release July 14, 2026, security update
Office 2019 (retail and volume license) All prior to July 2026 release July 14, 2026, security update
Office LTSC 2021 All prior to July 2026 release July 14, 2026, security update
Office LTSC 2024 All prior to July 2026 release July 14, 2026, security update
Excel 2016 (MSI-based) Versions before 16.0.5561.1001 16.0.5561.1001 (KB5002886)
Microsoft 365 for Mac All prior to July 2026 release 16.111.26071215
Office LTSC for Mac 2021 All prior to July 2026 release 16.111.26071215
Office LTSC for Mac 2024 All prior to July 2026 release 16.111.26071215
Office Online Server Earlier than 16.0.10417.20175 16.0.10417.20175

Home users running Microsoft 365 subscriptions get the fix through automatic updates. But enterprise administrators need to verify that managed deployment rings haven’t delayed the patch. Office Online Server, in particular, follows a different servicing model and is often overlooked during standard Patch Tuesday cycles.

How the Attack Works—and Why the “Local” Label Causes Confusion

A common mistake is reading AV:L and assuming an attacker already needs a foothold on your device. That’s not the case here. The attack chain looks like this:

  1. An attacker crafts an Excel workbook that triggers a heap-based buffer overflow when processed.
  2. The file is delivered remotely—phishing email, a SharePoint link, a USB drop, a compromised OneDrive share.
  3. A user opens the file in an unpatched version of Excel.
  4. Excel’s memory corruption runs the attacker’s code, with the user’s privileges.

No network service is exposed, and no zero-click exploitation over the internet exists. The “local” in AV:L means the vulnerable processing happens on the local system, not that the attacker is already inside. The delivery vector remains fully remote. This explains why the CVSS score of 7.8 is relatively high despite the required user interaction—the fallout after that click is catastrophic.

Because the vulnerability is a heap overflow, an exploit could potentially bypass some memory protections. Microsoft hasn’t disclosed whether the bug was found internally or reported externally, and at the time of the advisory, there were no reports of active exploitation. That doesn’t give you much time to relax—attackers often reverse-engineer patches within days, and Office files have long been a favorite malware delivery mechanism.

What You Should Do Right Now

For Home Users and Small Offices

  • Open any Office app, go to File > Account > Update Options, and click “Update Now.”
  • If you use Excel 2016 standalone (the old MSI version), run Windows Update and make sure KB5002886 is installed. After reboot, check Excel’s build number under File > Account—you should see at least 16.0.5561.1001.
  • On a Mac, open the Microsoft AutoUpdate tool (Finder > Help > Check for Updates) or click “Update” in any Office app’s Help menu. Confirm the version is 16.111.26071215 or later.

For Enterprise IT and System Administrators

  • Scan your environment for all Office installations, including 32- and 64-bit Click-to-Run builds, MSI-based Excel 2016, and Mac installations.
  • Prioritize patching for Office Online Server. The fixed boundary (16.0.10417.20175) is available via the usual servicing channel; validate installs against that number.
  • If you use Microsoft 365 Apps with update channels, verify that your deployment rings have approved the July 14, 2026 update. Manually triggering a sync in Microsoft Configuration Manager or Intune may be necessary.
  • Until every endpoint is patched, enforce controls: block Excel attachments with macros or suspicious content at the email gateway, enable Protected View for files from the internet, and restrict local admin rights to limit post-exploitation damage.
  • Train users to recognize the phishing lures that typically deliver these weaponized workbooks—fake invoices, HR documents, shipping notifications.

For Developers and Security Researchers

  • If you maintain internal Excel-based applications or tools that ingest third-party files, rig your test environment with the patch immediately. Verify that your application still behaves as expected.
  • The CWE-122 classification suggests a classic heap mismatch. If you’re doing forensic analysis, look for abnormal memory patterns when Excel parses certain OOXML elements.

How We Got Here: Office as a Perennial Attack Surface

Office file formats are complex, and Excel’s legacy of backward-compatible features has made it a frequent target. Just in the past year, we’ve seen multiple RCE flaws in Office, and each Patch Tuesday brings a fresh batch of fixes. The July 2026 update is part of a regular cadence, but it’s a stark reminder that client-side applications remain the soft underbelly of enterprise security.

Historically, attackers have used malicious Office documents to deliver everything from banking trojans to ransomware. Even though the macro execution path has been somewhat hardened in recent years, the sheer complexity of parsing workbooks still leaves room for memory corruption bugs like this one. The AV:L classification, while technically accurate, often leads admins to deprioritize such patches. That’s a mistake—a remote attacker delivering an ACE through a document that a single intern clicks can be the start of a full network breach.

Microsoft’s advisory clarifies that the term “remote code execution” is about attacker location, not about an open network port. The company has used this framing for years, but it still causes confusion. The same confusion surfaced in February 2024 with a similar Excel vulnerability (CVE-2024-20677) and again with a Word flaw in mid-2025. The takeaway: treat any “remote code execution” bulletin that requires user interaction with the same urgency as a network-service RCE, because the attacker is still remote, and the end result is the same.

What’s Next: Stay Vigilant

Microsoft has not indicated that this vulnerability is being exploited in the wild, but that can change overnight. The July 2026 Patch Tuesday also addressed a number of other Office and Windows vulnerabilities—some reportedly more severe. For now, the priority is clear: patch Excel everywhere, including those often-neglected Mac and Office Online Server installs.

Keep an eye on Microsoft’s Security Update Guide and your threat intelligence feeds. If a proof-of-concept appears, the window between awareness and wholesale exploitation shrinks to hours. We’ll continue to monitor and report on any exploitation activity or additional workarounds that emerge.

For a deeper technical breakdown of the AV:L versus RCE classification debate, see the analysis on WindowsForum, where the CVSS metrics are dissected in detail. But for most of us, the message is simple: update now, and teach users to think twice before double-clicking.