Microsoft’s security team dropped a critical Office update on July 14, 2026 that every Excel user needs to install immediately. The patch addresses CVE-2026-55131, a heap buffer overflow vulnerability with a CVSS score of 7.8 that allows attackers to execute code on your machine simply by convincing you to open a malicious spreadsheet. While the flaw is technically “local” according to CVSS metrics, the attacker can be anywhere in the world—the only thing standing between them and your data is a single click.
The advisory, published as part of Microsoft’s monthly security release cycle, covers a broad swath of Office products, from the venerable Excel 2016 to the latest Microsoft 365 Apps on both Windows and Mac. If you’ve ever ignored an update notification for Excel, now is the time to pay attention.
The July 14 Fixes at a Glance
The patch fixes a heap-based buffer overflow in Excel. Heap overflows are a classic category of memory corruption where writing past the bounds of allocated memory can overwrite control data, leading to execution of attacker-supplied code. In this case, the overflow occurs when Excel processes a file in a way the developers didn’t anticipate.
Microsoft’s security update guide lists these corrected builds:
| Product | Minimum Fixed Version |
|---|---|
| Excel 2016 (perpetual) | 16.0.5561.1001 (KB5002886) |
| Office Online Server | 16.0.10417.20175 |
| Microsoft 365 Apps for Windows | Serviced via update channel; check your build |
| Office 2019, LTSC 2021, LTSC 2024 | Latest security update build for each |
| Microsoft 365 for Mac, Office LTSC for Mac | 16.111.26071215 or later |
If you’re running a current subscription version of Microsoft 365 Apps, clicking “Update Now” from the File menu will pull down the patched build automatically. Enterprises using deferred channels or legacy versions will need to verify that the specific build carrying the fix has been deployed.
The CVE record itself (CVE-2026-55131) contains the full technical details, but the actionable takeaway is simple: any unpatched Excel installation that can open user-supplied files is vulnerable.
Is Your Version Vulnerable?
The affected products list is more extensive than many realize. This isn’t a legacy issue limited to an outdated release. Microsoft’s advisory enumerates:
- Microsoft 365 Apps for Enterprise
- Microsoft Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Excel 2016
- Office Online Server
- Microsoft 365 for Mac
- Office LTSC for Mac
That means even organizations fully up-to-date with subscription licensing must apply the July 14 patch. If you’re still running Excel 2016—still supported for security fixes until its end of life—this is one of those frequent reminders to either upgrade or ensure you have a robust patch management process.
Decoding the “Remote Code Execution” Label
If you look up CVE-2026-55131 in the National Vulnerability Database, you’ll see something that seems contradictory: the CVSS vector shows “AV:L,” meaning the attack vector is local. Yet the CVE title explicitly says “Remote Code Execution.” How can both be true?
The short answer: Microsoft uses “remote” to describe where the attacker can be, not how the vulnerability is triggered. According to the official advisory, “the word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”
In practical terms, an adversary doesn’t need to be in the same room—or even on the same network—as the target. They just need to deliver a file. That file might arrive via email, a malicious website, a cloud storage link, or any mechanism that convinces the user to open it. Once Excel parses the file locally, the heap overflow triggers, and the attacker’s code runs. The attacker doesn’t need an existing account or credentials on the victim’s machine; the attack complexity is low, and the impact can be severe: complete compromise of confidentiality, integrity, and availability.
This is vastly different from a network-exploitable bug where simply having a service exposed to the internet could allow automated worms. Here, exploitation requires user interaction (CVSS UI:R), which is why the score is 7.8 rather than a terrifying 9.8. But don’t let that “local” label lull you into complacency—one unsuspecting employee opening the wrong spreadsheet can be the entry point for a ransomware gang or data thief.
The CISA’s initial assessment, using the Stakeholder-Specific Vulnerability Categorization (SSVC), noted no known exploitation and judged it “not automatable,” but acknowledged the potential for total technical impact. That assessment could change if proof-of-concept code emerges, which is why patching now is critical.
What the Patch Means for You
For the regular user at home or in a small business: install the updates now. If you use Microsoft 365, go to File > Account > Update Options > Update Now. If you use a standalone Office 2019 or 2021, run Windows Update and apply all pending Office patches. For Mac users, open any Office application, click Help > Check for Updates, and let Microsoft AutoUpdate do its job.
The threat model here is a spear-phishing email with an attached Excel file, a link to a spreadsheet on SharePoint or Dropbox, or even a file embedded in a web page. Because the attack relies on Excel’s file-parsing logic, it doesn’t require macros to be enabled—simply opening the document can trigger the flaw. So even if you’ve disabled macros for security reasons, you’re not fully protected without the patch.
If you routinely handle spreadsheets from unknown sources (e.g., public data downloads, partnership reports), you should be especially cautious. Until you’re patched, consider opening such files in Excel’s Protected View, which opens read-only and blocks active content, or use a non-Windows device that may not have the vulnerable library, though Mac versions are also affected here.
For IT administrators: this is a routine but urgent patch cycle. Beyond ensuring all Office installations are updated, take the following steps:
- Verify that your deployment tool (SCCM, Intune, WSUS) is pushing the correct Office security update for your channel.
- Check build numbers against Microsoft’s Office build reference page; for example, Excel 2016 should be at version 16.0.5561.1001.
- Run a vulnerability scanner or use Microsoft Defender for Endpoint to identify unpatched devices.
- Remind users about the dangers of opening attachments from unknown senders. While patches are the primary defense, user awareness is a layer.
- For high-security environments, consider application control policies that restrict Excel’s ability to launch child processes or script interpreters, though this may not stop pure memory-corruption exploits.
- Audit and enforce least privilege. Since the attacker’s code runs with the user’s rights, a non-admin account limits the immediate damage. However, lateral movement and credential theft can still follow, so this is a mitigation, not a fix.
Steps to Secure Your PC or Fleet
Here’s a prioritized checklist for the next 24 hours:
- Identify all devices running Office. Don’t forget virtual desktops, servers with Excel for reporting, and Macs.
- Apply the July 14, 2026 Office security update via your management console or manually.
- Validate the patched version. For Excel 2016 on Windows, click File > Account > About Excel and confirm it says version 16.0.5561.1001 (or higher). For M365, the version number will differ but should reflect a build dated after July 14, 2026.
- Block or quarantine email attachments with certain Excel file extensions (.xls, .xlsx, .xlsm, etc.) from untrusted sources until you are fully patched.
- Enable Microsoft Defender Attack Surface Reduction rules if available. Rules like “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” can contain post-exploitation activity.
- Schedule a follow-up scan for July 21 to catch any devices that missed the update.
For home users, the process is simpler: just run Windows Update, open Excel, and check for updates. If you’ve turned off automatic updates, turn them back on—at least temporarily.
A Pattern of Document-Based Dangers
This isn’t the first Excel RCE, and it won’t be the last. The very nature of spreadsheet software—complex parsers handling user-supplied data—makes it a perennial target. Microsoft’s Protected View, hardened sandboxes, and macro warnings have raised the bar over the years, but as this heap overflow demonstrates, the fundamental file format can harbor dangerous flaws.
What to watch next: will exploit code appear on public repositories like Exploit-DB? Often, patches spark reverse engineering and the creation of proof-of-concept exploits within days. If you delay patching beyond a week, you increase the risk of encountering an active attack. Also keep an eye on Microsoft’s next Patch Tuesday; this CVE may be one of several Office-related fixes in the July release, and additional mitigation guidance could appear in the MSRC blog.
For now, the message is clear: update Excel, educate your users, and stay skeptical of unexpected spreadsheets. The attacker might be remote, but the fix is local—and it’s in your hands.