Microsoft’s July 14, 2026 security updates address a high-severity information-disclosure flaw in Excel that could let attackers extract sensitive memory data simply by tricking someone into opening a booby-trapped file. This isn’t a remote exploit, but CVE-2026-55122 carries a CVSS score of 7.1 because of the damage it can cause: attackers can read process memory they shouldn’t, and the attack may crash Excel. Every major Office version on Windows, Mac, and Office Online Server is affected, so patching requires more than just hitting Windows Update.

The Flaw: Out-of-Bounds Read in Excel

At its core, CVE-2026-55122 is an out-of-bounds read (CWE-125) in Microsoft Excel. When the application parses a specially crafted file, it can access memory beyond the intended buffer, exposing data that should remain private. The vulnerability is local—an attacker must convince a user to open a malicious workbook—but no special privileges are needed, and the attack complexity is low. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) tells the story: high impact to both confidentiality and availability, with no integrity loss. So a successful exploit could leak anything from encryption keys to fragments of other open documents, and it might also destabilize or crash the application.

Microsoft has not detailed exactly what memory regions are exposed, but that shouldn’t lead anyone to assume the risk is minimal. Out-of-bounds reads can reveal sensitive data like credentials, personal information, or internal process details that an attacker can leverage for lateral movement or further compromise. The vulnerability is not a stepping-stone to remote code execution on its own, but the information it yields could weaken defenses in multi-stage attacks.

Everywhere Excel Lives

The list of affected products is long and covers all major Office editions and platforms. Here’s the breakdown:

Product Affected Until Build/Version Update Mechanism
Microsoft 365 Apps for Enterprise (32/64-bit Windows) Any build before the July 14, 2026 servicing release Click-to-Run channel update
Excel 2016 (MSI-based, 32/64-bit Windows) Before version 16.0.5561.1001 KB5002886
Office 2019 (Windows) All builds before July 14, 2026 patch Click-to-Run / MSI depending on edition
Office LTSC 2021 (Windows) All builds before July 14, 2026 patch Click-to-Run
Office LTSC 2024 (Windows) All builds before July 14, 2026 patch Click-to-Run
Microsoft 365 for Mac / Office LTSC for Mac 2021 / 2024 Before version 16.111.26071215 Microsoft AutoUpdate
Office Online Server Before version 16.0.10417.20175 KB5002884

The breadth of the exposure means a mixed-enterprise environment could have vulnerable installations hiding on Macs, virtual desktops, or neglected Office Online Server instances even after Windows desktop updates are applied.

What It Means for You

For Home Users and Small Offices

If you’re running Microsoft 365 or a perpetual Office edition, check that Office updates are installed. For Microsoft 365 subscribers, updates usually arrive automatically through Click-to-Run, but you can manually trigger the check by opening Excel, going to File > Account > Update Options > Update Now. For standalone Office 2016 or 2019, make sure Windows Update is configured to include updates for other Microsoft products, or download the relevant security update from the Microsoft Update Catalog.

On a Mac, open any Office app, go to Help > Check for Updates, and install version 16.111.26071215 or later. Restart all Office apps after the update.

For IT Administrators

This vulnerability is a stern reminder that Office patching is a separate beast from Windows patching. Even if your Windows Update compliance reports look green, you may have vulnerable Excel builds if:

  • You use configuration management for Windows but rely on a different pipeline for Office updates (e.g., Microsoft 365 Apps Admin Center or Configuration Manager’s Software Update Point).
  • You have delayed update channels for Microsoft 365 Apps that haven’t yet received the July 14 build.
  • You support Mac users whose AutoUpdate settings may be deferred or disabled.
  • You run Office Online Server, which must be updated manually with KB5002884 (and likely a server restart).

After deploying the updates, verify the installed version across all platforms. On Windows, you can check Excel’s build number via File > Account > About Excel or query the version attribute from the Click-to-Run configuration (\HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration). For Excel 2016 MSI, the file version should be at least 16.0.5561.1001. On Mac, the build number appears in the About Excel dialog under the name of the application.

If you can’t patch immediately, reduce the risk by tightening attachment filtering, enforcing Protected View for all files originating from the internet, and reminding users not to open unexpected workbooks. But none of these alternative measures fix the underlying memory bug—patching is the only real solution.

For Developers and Security Analysts

If you maintain applications that generate or parse Excel files, there is currently no public technical detail on which specific file structure triggers the out-of-bounds read. That means generic content-filtering signatures are unlikely to catch all malicious variants. Keep an eye on the MSRC page and the National Vulnerability Database entry for any Technical Analysis sections that might appear in the coming weeks. Meanwhile, ensure your threat detection rules flag any execution of Office processes with unusual arguments or downloads from untrusted sources.

How We Got Here: A Familiar Attack Pattern

CVE-2026-55122 follows a well-worn path: a high-severity bug in an essential productivity application that requires user interaction but still merits urgent attention. The July 2026 Patch Tuesday cycle delivered a batch of Office fixes, with this Excel vulnerability being one of the most critical due to its potential to silently exfiltrate data. Microsoft’s MSRC advisory is the authoritative source, though the NVD page was still awaiting independent enrichment as of July 15, 2026.

The vulnerability underscores the complexity of modern file formats. Excel supports hundreds of features, functions, and legacy compatibility modes, and each one adds parsing code that can contain memory-safety bugs. An out-of-bounds read might seem less dangerous than arbitrary code execution, but in an era where attackers chain together multiple low-severity flaws, a reliable information leak is a valuable tool. It can help break address-space layout randomization (ASLR) or expose secrets that enable lateral movement.

Office has layered defenses—Protected View, Mark of the Web, macro blocking—but many of those rely on the file entering through a clearly untrusted path. If an attacker can get a document onto a network share or a SharePoint library without triggering a security zone identifier, those mitigations may not engage. And even when they do, a determined social-engineered user might just click “Enable Editing.”

What to Do Now

  1. Identify vulnerable installations. Use your endpoint management tool to inventory Office versions across all platforms, including virtual desktop images and Office Online Server.
  2. Deploy the July 14, 2026 security updates. For most organizations, this means:
    • Approving and pushing the relevant Click-to-Run updates through the Microsoft 365 Apps Admin Center or Configuration Manager.
    • Downloading and installing KB5002886 for Excel 2016 MSI deployments.
    • Updating Mac Office via the Microsoft AutoUpdate tool to version 16.111.26071215 or later.
    • Applying KB5002884 to Office Online Server, validating that the build reaches 16.0.10417.20175.
  3. Verify the installed build numbers. Don’t rely on policy status alone. Spot-check a random sample of devices and confirm the build string matches the expected patched version.
  4. Communicate with users. Remind your workforce to exercise caution with unsolicited Excel attachments, especially those from external sources. Even a patched environment can be compromised if a user opens a malicious file while the update is still pending.
  5. Monitor for exploitation activity. While Microsoft has not reported active exploitation of CVE-2026-55122, it’s wise to alert your SOC to watch for unusual Excel process behavior, unexpected crash reports, or large file-write operations that could indicate data extraction.

Keeping an Eye on the Horizon

At the time of writing, there’s no public proof-of-concept code, and the attack requires human interaction, but the wide array of affected Office suites makes this a tempting target for attackers who specialize in business-email compromise and data theft. Microsoft typically doesn’t provide deep technical details until well after patching has reached critical mass, so expect more information to surface in the coming weeks from security researchers. For now, the smart play is to treat this like any other high-rated Office vulnerability: patch comprehensively, confirm the patches actually took, and don’t assume your Windows update routine covered every Excel installation in your environment.