On July 14, 2026, Microsoft released a security update for Microsoft Excel that fixes a remote code execution vulnerability tracked as CVE-2026-55031. The flaw, rated Important with a CVSS 3.1 base score of 7.8, can let attackers run arbitrary code on a victim’s computer simply by convincing them to open a malicious workbook. Despite a “local” attack vector label, the patch is urgent because attackers can deliver the weaponized file from anywhere—email, cloud storage, messaging apps, or shared drives—and wait for the user to open it.

What Microsoft Fixed in the July 2026 Excel Update

CVE-2026-55031 is an out-of-bounds read weakness (CWE-125) in how Microsoft Office Excel processes certain file formats. When exploited, it enables code execution with the same privileges as the logged-in user. An attacker who successfully pulls this off could install programs, view, change, or delete data, or create new accounts with full user rights.

The security advisory covers a broad range of Office editions:

  • Microsoft 365 Apps for enterprise
  • Excel 2016 (MSI-based installations)
  • Office 2019
  • Office LTSC 2021 and 2024
  • Office for Mac
  • Office Online Server

For administrators managing older MSI-based Excel 2016, the fix arrives as KB5002886, bringing Excel to version 16.0.5561.1001. Modern Click-to-Run installations—including Microsoft 365, Office 2019, and LTSC—receive the patch through their respective servicing channels rather than a standalone update. Mac users need build 16.111.26071215 or later, depending on their licensing branch. Office Online Server instances are affected before version 16.0.10417.20175.

Microsoft’s exploitability assessment at the time of release was “Exploitation Less Likely.” The flaw had not been publicly disclosed nor seen in active attacks when the advisory went live. That forecast is not a guarantee, and administrators should treat the patch with the same priority as any rated-Important RCE.

Why a ‘Local’ Attack Vector Doesn’t Mean Local Danger

The CVSS vector for CVE-2026-55031 is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The AV:L (Attack Vector: Local) has caused some confusion because the CVE title calls the bug “Remote Code Execution.” Microsoft clarifies that “Remote” refers to the attacker’s physical location, while the exploit itself is triggered locally—meaning the malicious code must be executed on the target machine.

In practice, this means:

  • An attacker can be on the other side of the world and send a booby-trapped Excel file as an email attachment, a Teams message, a link to a cloud document, or a file on a compromised thumb drive.
  • The victim does not need to have an existing account or privileges on the target system (PR:N).
  • The victim must take some action—double-clicking the file, for example—for the exploit to fire (UI:R).
  • Once the file is opened in a vulnerable version of Excel, code can run with the same rights as the Excel process, potentially giving the attacker full control (C:H/I:H/A:H).

The local vector simply means Excel triggers the flaw while running on the victim’s own PC, not that the attacker needs physical access or a pre-existing foothold. Document-based attacks have always blended “remote delivery” with “local execution,” and this CVE is no different.

Who Is at Risk—and What It Means for You

Home Users and Everyday Excel Users

If you use any version of Excel listed above, you are vulnerable until you apply the July 2026 update. The attack relies on you opening a malicious file, so basic caution helps: don’t open spreadsheets from unknown senders, and be wary of unexpected attachments even from people you know. But training and vigilance are not perfect; the only real fix is the patch.

IT Administrators and Security Teams

Managed environments need immediate verification:

  • Windows-based Click-to-Run installations (Microsoft 365, Office 2019, LTSC 2021/2024): Confirm that your update channel has pulled down the July 14, 2026 security release. Build numbers will vary by channel; consult the Office update history for your specific ring.
  • MSI-based Excel 2016: Deploy KB5002886 via Windows Server Update Services, Configuration Manager, or your patch management tool. Check that workstations report version 16.0.5561.1001 or later.
  • Mac users: Under Help > Check for Updates, verify that the installed build is 16.111.26071215 or newer. Managed Macs can be updated through Microsoft AutoUpdate command-line tools.
  • Office Online Server: Update to at least build 16.0.10417.20175. This server component often lags behind desktop patches because it requires separate maintenance windows; don’t let it slip through the cracks.

Office Online Server: A Special Case

Office Online Server allows users to view and edit Excel workbooks in a browser. If an attacker can get a malicious file onto a server that still runs a vulnerable build, they might be able to compromise the server process itself, affecting all users who interact with that document. Patch these servers without delay, even if you think they are isolated internally.

How This Vulnerability Slipped Into Microsoft Excel

Out-of-bounds reads are memory safety errors where the software accesses data outside the boundary of a buffer. In CVE-2026-55031, this weakness in Excel’s parsing logic can be abused to achieve code execution, not merely a crash or information leak. The exact technique that turns a read error into arbitrary code execution is not detailed in the advisory, but such chains are well documented in security research.

Microsoft assessed the flaw as “Exploitation Less Likely” because crafting a reliable exploit requires deep technical skill. That doesn’t mean an exploit is impossible—only that it wasn’t seen in the wild when the patch shipped. Historically, Office document vulnerabilities that start with “Less Likely” sometimes mature into active threats months later, especially after researchers or attackers reverse-engineer the fix.

The July 2026 patch arrived as part of Microsoft’s regular Patch Tuesday cycle. No out-of-band emergency release was required, which suggests the issue was resolved within normal coordination timelines.

Patch Now, Don’t Rely on Email Filters Alone

Organizations often lean on email attachment scanning, Mark of the Web, and desktop firewalls to stop malicious documents. Those layers help but are not substitutes for this update. A weaponized Excel file can bypass scanners if it arrives via cloud sync, a shared folder, a USB drive, or a compromised trusted account. Mark of the Web may not apply if the file is downloaded through browsers that don’t set it or if the user moves it from a ZIP archive.

Action steps for everyone:

  1. Check your Excel version: For Windows, go to File > Account > About Excel. For Mac, Excel > About Excel.
  2. Run Windows Update or Microsoft Update: The security update may be delivered through your normal OS patching if you have “Receive updates for other Microsoft products” enabled.
  3. Manual update for Click-to-Run: Open any Office app, go to File > Account > Update Options > Update Now.
  4. For managed MSI Excel 2016: Push KB5002886 immediately. Verify post-patch version numbers in your asset management tool.
  5. Mac users: Open Microsoft AutoUpdate and install all pending Office updates.
  6. Office Online Server: Download and apply the latest cumulative update from the Microsoft Update Catalog.

After patching, remind users to treat unsolicited Office files with suspicion. An up-to-date Excel is your best defense, but user education adds a valuable second layer.

What Comes Next

At publication, no public proof-of-concept code or exploit tool was known. That will change. Security researchers routinely analyze Microsoft’s patches to identify the exact vulnerability and sometimes publish detailed write-ups within days. Malicious actors also monitor Patch Tuesday releases and target organizations that delay deployment. The “Exploitation Less Likely” assessment can shift quickly—don’t bet on it lasting.

Monitor Microsoft’s Security Response Center and your usual threat intelligence feeds for any updates to the CVE’s exploitability index. If the rating changes to “Exploitation More Likely” or “Detected,” accelerate your remediation immediately. For now, the best move is to treat this July 2026 Excel update as a must-install, not a nice-to-have.