On July 14, 2026, Microsoft pushed a fix for a vulnerability that lets attackers quietly read sensitive data from your PC’s memory—just by having you open a poisoned Excel workbook. Tracked as CVE-2026-55054, the flaw earned a CVSS 3.1 base score of 6.5, but the details make it clear why that number shouldn’t lull anyone into complacency. Affected versions span from Excel 2016 to the latest Microsoft 365 Apps, across Windows and Mac, plus Office Online Server.
The Vulnerability at a Glance
The bug is an out-of-bounds read (CWE-125) in how Excel parses certain workbook content. When a specially crafted file triggers the flaw, Excel reads memory beyond what it should—potentially exposing bits of data that have nothing to do with the spreadsheet you’re working on. Microsoft’s advisory, published in its Security Update Guide, confirms the weakness can lead to information disclosure over a network, with a High confidentiality impact. No code execution is required; the attacker simply needs the victim to open the file.
The CVSS vector reads: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In plain language: an attacker can deliver the malicious file remotely, face no authentication barriers, and exploit the vulnerability with low complexity—but they must persuade a user to open it. Once the file is opened, Excel may leak memory contents to a remote destination, all while appearing to behave normally.
The Full List of Affected Software
This isn’t just an Excel 2016 problem. Microsoft’s CVE record covers a long list of Office editions, all of which need patching:
- Microsoft 365 Apps for Enterprise (32-bit and 64-bit on Windows) – fixed via your servicing channel’s update
- Microsoft Excel 2016 (MSI-based) – must reach build 16.0.5561.1001 or later (delivered in KB5002886)
- Microsoft Office 2019 – serviced through the standard Office security update process
- Microsoft Office LTSC 2021 and Office LTSC 2024 – affected on Windows
- Microsoft 365 / Office 365 for Mac – fixed in version 16.111.26071215
- Office LTSC for Mac 2021 and Office LTSC for Mac 2024 – same Mac version threshold
- Office Online Server – fixed in build 16.0.10417.20175 (via KB5002884)
The patch landscape gets messy quickly because not all installations are equal. MSI-based Excel 2016 gets KB5002886. Microsoft 365 Apps (Click-to-Run) receive a different package that depends on your update channel. On Mac, the build number is your beacon. Office Online Server, often overlooked, requires its own KB5002884 to seal the server side.
How a Malicious Workbook Steals Data
Exploitation hinges on a social-engineering lure. The attacker delivers a poisoned Excel file (.xlsx, .xlsm, or even older binary formats) through email, a file-sharing link, a Teams message, or any channel where you might open a document without suspicion. Because Office files are a daily part of business, the barrier to entry is low. There’s no need for an exploit that chains multiple vulnerabilities; a single interaction with the malicious workbook may be enough to exfiltrate memory.
Microsoft hasn’t published the exact type of data that could be exposed, nor has it released a proof-of-concept. Security researchers suspect that, depending on the system’s memory layout at the time of exploitation, an attacker could snatch credentials, fragments of other documents, or internal process data. The read is out-of-bounds, not arbitrary, so the range is limited—but an adversary may still mine valuable intelligence, especially on machines that handle privileged data.
Why “Medium” Severity Is Deceptive
A 6.5 score sits comfortably in the medium band, but it reflects two opposing forces: a potentially serious leak and the requirement that a user opens a file. In many organizations, blending into everyday spreadsheet traffic is trivial. Finance teams import pricing sheets from suppliers, HR loads résumés from applicants, and engineers pull configuration data from repositories. The absence of obvious symptoms makes detection even harder; a successful information-disclosure attempt may leave no crash, no alert, and only a normal-looking Excel session.
Additionally, the vulnerability’s confidence rating is high: Microsoft has acknowledged the flaw, traced it to a specific weakness (CWE-125), and released a tested fix. The CISA SSVC assessment, as of July 14, noted no known exploitation in the wild and rated the vulnerability as not readily automatable. That is a snapshot, not a guarantee. Once technical details surface, threat actors often weaponize such flaws within days.
Your Patching Checklist
Install the July 14 Office updates immediately, but verify rather than assume. Use these steps to make sure every endpoint is covered:
-
Identify your Office flavor
- MSI-based installations (common with volume-licensed Excel 2016) need KB5002886. Check the File > Account > About Excel dialog for the build number.
- Click-to-Run (Microsoft 365 Apps) updates arrive through the update channel. Verify the build against Microsoft’s security release details.
- Mac users: confirm the version is 16.111.26071215 or later.
- Office Online Server: apply KB5002884 and confirm build 16.0.10417.20175. -
Scan for stragglers
Machines on deferred update channels, virtual desktops with non-persistent disks, and rarely-connected laptops often miss automatic pushes. Spot-check these manually. -
Document what’s patched
Record the servicing model, installed build, update channel, and architecture for each system. A simple spreadsheet (ironically) works; just make sure yours can’t be malicious. -
Don’t forget the server side
If you run Office Online Server for browser-based document editing, patching the server is as critical as patching desktop Excel. The server processes files, and an attacker could submit a malicious workbook via a web-facing collaboration feature.
Layered Protections While You Patch
Patching is the definitive fix, but you can reduce risk while deployment is underway:
- Block high-risk attachments: Configure email gateways and collaboration tools to strip or quarantine Office files from untrusted sources.
- Use Protected View: Files arriving from the internet, email, or unsafe locations open in a sandboxed mode. This reduces (but doesn’t eliminate) the attack surface.
- Disable macros and active content from untrusted workbooks: Though not a direct mitigation for this particular flaw, it’s a best practice that shrinks the overall attack vector.
- Restrict outbound connections from Office apps: Network policies can block Excel from reaching arbitrary destinations, complicating exfiltration.
- Isolate untrusted documents: Open suspicious files on a segregated machine or a cloud sandbox for initial inspection.
Outlook: Staying Ahead of Office Flaws
Microsoft typically releases Office security updates on the second Tuesday of each month (Patch Tuesday). This July fix is part of that cadence. In the coming weeks, expect the National Vulnerability Database to add its analysis and perhaps a more detailed CWE breakdown. Until then, build a habit of checking the Office update history after each Patch Tuesday. If you rely on Office Online Server, treat its update cycle with the same urgency as SharePoint or Exchange.
For now, the message is simple: patch Excel, verify the build, and remind users that a spreadsheet from a stranger can be far more dangerous than it looks.