On July 14, 2026, Microsoft released a critical security patch for multiple versions of Excel, closing a vulnerability that allows attackers to read sensitive data from a computer’s memory simply by tricking a user into opening a malicious workbook. The flaw, tracked as CVE-2026-48580, affects a broad range of Office installations, from Excel 2016 to Microsoft 365 apps on Windows and Mac, as well as Office Online Server—making it a priority for both home users and IT administrators.
What Gets Fixed with the Latest Update
The heart of the problem is an untrusted pointer dereference (CWE-822) in Microsoft Office Excel. In plain terms, the software can inadvertently use a memory pointer that an attacker has corrupted, causing it to read or expose portions of system memory that should remain private. Microsoft rates the vulnerability as Important, with a CVSS 3.1 base score of 5.5. The vector—AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N—tells a focused story: an attacker needs no special privileges (PR:N) and low attack complexity (AC:L), but must convince a user to open a booby-trapped file (UI:R). Once triggered, the flaw has a high impact on confidentiality (C:H), meaning significant data could leak, but Microsoft says there is no ability to modify data, execute code, or crash the system.
That narrow scope might sound reassuring, but information disclosure in Office can be dangerous. Dumped memory may contain fragments of other documents, file paths, authentication tokens, or layout details that help an attacker craft a more targeted follow-on exploit. Microsoft hasn’t specified exactly what data can be siphoned, so it’s safest to assume the worst.
This patch is part of a larger July 2026 security release for Office that also addresses several remote code execution vulnerabilities in Excel. The fix is cumulative, so applying the latest update closes CVE-2026-48580 along with other threats.
Who’s at Risk and What Could Happen
Almost every currently supported edition of Excel is in the firing line. Here’s the full list of affected products and the versions you need to reach for protection:
- Microsoft 365 Apps for enterprise (32- and 64-bit Windows): Install the latest security build from your update channel.
- Excel 2016 (MSI): Update to version 16.0.5561.1001 or later via KB5002886.
- Office 2019 (Volume License): Apply the July 2026 security update.
- Office LTSC 2021 and 2024: Deploy the current security release.
- Office for Mac (Microsoft 365 or LTSC): Upgrade to version 16.111.26071215 or newer.
- Office Online Server: Verify you’re running build 16.0.10417.20175 or later.
For home users and knowledge workers, the most likely attack scenario is a phishing email carrying a weaponized Excel workbook. Unsolicited attachments, links to cloud-stored spreadsheets, or even files shared through compromised Teams accounts could deliver the exploit. Opening the file triggers the vulnerability—no macros need to run, and Protected View might not block the memory access pattern. The attacker steals information from your PC’s memory and uses it to plan further intrusions.
Business networks face a broader exposure surface. An organization that regularly exchanges spreadsheets with customers, suppliers, or contractors is especially vulnerable if any endpoint is running outdated Office. Office Online Server adds another wrinkle: it’s often deemed “back-end infrastructure” and can slip through standard desktop patching windows. An unpatched server could be exploited if an attacker can cause it to process a malicious workbook, potentially leaking memory from the server process.
Microsoft confirms the vulnerability exists (its report-confidence metric is “Confirmed”) but sees no evidence of active exploitation or public proof-of-concept code as of the patch date. That doesn’t mean you can delay. With low attack complexity and no privilege requirement, industrious adversaries will likely reverse-engineer the fix to create working exploits within days.
The Patch Timeline and What Led to It
CVE-2026-48580 was discovered internally and reported through Microsoft’s coordinated vulnerability disclosure process. It’s the latest in a long line of pointer-related bugs that have plagued Office applications—common in large, complex codebases where memory management can go awry. This particular bug likely traces back to how Excel parses certain file structures, trusting pointers that should have been validated before use.
The July 2026 Patch Tuesday bundle is unusually heavy on Excel fixes. Alongside this information disclosure flaw, Microsoft addressed multiple remote code execution issues (none publicly detailed to avoid giving attackers a roadmap). Security researchers and threat actors alike know that chaining an info leak with a code execution bug can lead to a full system compromise, so these parallel patches should be seen as a unified defense.
For organizations still running Excel 2016, the timeline is critical. Mainstream support for Office 2016 ended in 2020, but extended support continues until October 14, 2025—barely a month after this patch. Microsoft typically provides security updates only for supported products, making this one of the final bulletins for the venerable suite. Upgrading to a newer Office version should be on every admin’s radar before the support cutoff.
Your Action Plan: Update Now
There is no workaround; patching is the only reliable defense. Here’s what to do based on your setup:
For Microsoft 365 Subscribers (Windows and Mac)
- Open any Office application (Excel, Word, etc.).
- Go to File > Account > Update Options > Update Now.
- On a Mac, you can also launch Microsoft AutoUpdate from the Help menu of any Office app and select “Update.”
- Verify the build number: for Windows, you should see a version from the July 14, 2026, release onward (exact string varies by channel); for Mac, ensure it’s at least 16.111.26071215.
For Perpetual Office Users (Excel 2016, Office 2019, LTSC 2021/2024)
- Excel 2016 MSI: Download and install KB5002886 from the Microsoft Update Catalog or approve it in Windows Server Update Services (WSUS). The update pushes the executable to version 16.0.5561.1001.
- Office 2019, LTSC 2021/2024: Run Windows Update and install all available Office security updates. These are typically under the “Important” or “Security” classification.
- After installation, restart any open Office apps and confirm the version via File > Account > About Excel.
For IT Administrators
- Inventory all Office installations: Use Microsoft Configuration Manager, Intune, or third-party asset tools to find machines running Excel 2016, Office 2019, LTSC, or Microsoft 365 Apps. Don’t forget Mac clients and virtual desktop images.
- Verify update compliance: Simply checking “Windows Update ran” isn’t enough. For Excel 2016, confirm file version 16.0.5561.1001. For click-to-run editions, compare each device’s build number against the latest release for its update channel (Current, Monthly Enterprise, etc.).
- Audit Office Online Server: If your organization uses it for Excel Online document rendering, access the server’s admin console or check the build number via PowerShell. This infrastructure often misses regular patching cycles. The fixed build is 16.0.10417.20175.
- Double down on email and web filtering: While you race to patch, ensure your email gateway quarantines unsolicited Excel files, especially those from unfamiliar domains. Block macros by default; though this exploit doesn’t need them, it’s a good general practice.
Looking Ahead
CVE-2026-48580 is a stark reminder that even “read-only” vulnerabilities can be stepping stones for sophisticated attackers. The July 2026 bulletin is a chunky one—patch everything now, not piecemeal. Watch for post-patch analysis from security firms; if a proof-of-concept surfaces, the risk of opportunistic attacks will spike.
Going forward, treat any Excel file arriving unexpectedly as hostile, even if it appears to come from a known contact. Keep Office auto-updates enabled, and if you’re still clinging to Excel 2016, accelerate your migration plans. The next Patch Tuesday is only a month away, and with it will come another round of fixes for the software we all rely on every day.