Microsoft has assigned CVE-2026-44820 as a Remote Code Execution (RCE) vulnerability in Microsoft Excel, yet the Common Vulnerability Scoring System (CVSS) v3.1 attack vector is listed as Local (AV:L). This apparent contradiction has sparked confusion among security teams trying to prioritize patching. Here’s what’s really going on, and how defenders should respond.

The Vulnerability at a Glance

CVE-2026-44820 affects all currently supported versions of Microsoft Excel, including Office 2021, Office 2019, and Microsoft 365 Apps. The vulnerability was disclosed as part of Microsoft’s June 2026 Patch Tuesday, with a severity rating of Important. According to the advisory, successful exploitation could allow an attacker to execute arbitrary code in the context of the current user. If that user has administrative rights, the attacker could take full control of the system—installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights.

The core issue lies in how Excel handles certain specially crafted files. A remote attacker can trigger this by convincing a user to open a malicious file, typically delivered via email or a hosted share. However, because the attack requires user interaction and local file access, the CVSS vector stubbornly reads Local. This mismatch is not a mistake; it reflects a fundamental tension between marketing terminology and technical scoring.

Remote vs. Local: The CVSS Paradox

The CVSS attack vector defines the context by which an attacker can exploit a vulnerability. AV:N (Network) means the vulnerability can be exploited remotely over a network without local access. AV:A (Adjacent Network) requires a nearby network position, like a shared Wi-Fi. AV:L (Local) means the attacker must either have physical access or rely on the victim to perform an action, such as opening a file. AV:P (Physical) requires physical manipulation of the device.

For CVE-2026-44820, the attack vector is AV:L because the attacker cannot simply send packets across the internet to trigger the vulnerability. The victim must open a malicious Excel file. That file, however, can originate from anywhere—an email attachment, a download link, or a shared cloud folder. From a defender’s perspective, the attack arrives remotely, but the exploitation point is local. Microsoft’s classification as RCE reflects the worst-case outcome: code execution from a remote source, even if the technical CVSS metric is local.

Technical Breakdown

Security researchers at Trend Micro’s Zero Day Initiative, who originally reported the flaw, provided technical details. The vulnerability exists in Excel’s parsing of the XML-based Office Open XML (OOXML) format used in .xlsx files. Specifically, a malformed sheet entry inside the xl/sharedStrings.xml part can cause a heap-based buffer overflow when the file is opened. By carefully crafting the XML data, an attacker can overwrite memory and redirect execution flow to run arbitrary shellcode.

The attack flow is straightforward: The attacker creates a .xlsx file containing the malicious XML payload and delivers it via spear-phishing email or a compromised website. When the victim opens the file, Excel processes the shared strings table, triggering the overflow before Protected View can intervene. Because the payload runs within the Excel process, it inherits the user’s security context.

CVSS Vector and Score Analysis

The full CVSS v3.1 vector for CVE-2026-44820 is:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  • AV:L – Attack Vector: Local. The exploit requires the victim to open a file.
  • AC:L – Attack Complexity: Low. No special conditions are needed; the file opens normally.
  • PR:N – Privileges Required: None. The attacker does not need prior authentication.
  • UI:R – User Interaction: Required. The victim must open the file.
  • S:U – Scope: Unchanged. The vulnerable component and impacted component are the same.
  • C:H/I:H/A:H – Confidentiality, Integrity, Availability impacts are all High. Full system compromise.

This yields a base score of 7.8 out of 10, which is High severity. Had the attack vector been Network (AV:N), the score would jump to 9.6 (Critical). The local vector caps the score at 7.8, which sometimes leads organizations to deprioritize patching as “just local.” That’s a mistake.

Why Microsoft Calls It RCE

Microsoft’s security classifications are not always aligned with CVSS. The company labels vulnerabilities based on the ultimate impact and the attack lifecycle. If an attacker can achieve code execution on a system from a remote origin—even if user interaction is required—it is classified as RCE. This is evident in numerous historical CVEs, such as CVE-2022-30190 (Follina) and CVE-2021-40444, both of which were considered remote code execution despite requiring user interaction and having AV:L or AV:N depending on the vector.

From a practical standpoint, if a financial analyst opens an infected Excel sheet sent by a phishing email, the attacker has effectively run remote code on the corporate network. The CVSS local vector is technically accurate but obscures the remote nature of the threat in everyday security operations.

Exploitation Scenarios

Real-world exploitation typically follows a pattern:

  1. Phishing Campaign: The attacker sends a tailored email with a malicious Excel attachment, often disguised as an invoice, report, or urgent document.
  2. Watering Hole Attack: A compromised website that victims trust hosts the malicious file.
  3. Cloud File Sharing: The attacker places the file on a shared OneDrive or SharePoint site and tricks the victim into opening it.

In all cases, the initial access vector is remote, but the exploitation mechanism is local. Security tools that only act on network-level indicators will miss this entirely. Endpoint detection and response (EDR) and email filtering are essential.

Defender Guidance: Mitigation Steps

Defenders should take immediate action. Even though the CVSS vector is local, treat this as a remote code execution risk and prioritize accordingly. The following steps are critical:

  • Apply the June 2026 Security Update: Microsoft has released patches for all affected versions. Install updates from the Microsoft Update Catalog or Microsoft Update for all endpoints running Excel.

  • Enable Protected View: Ensure that files from the internet and email attachments open in Protected View by default. This can be configured via Group Policy: User Configuration > Administrative Templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center > “Turn off Protected View for attachments opened from Outlook” should be set to Not Configured or Disabled (meaning Protected View is on).

  • Use Attack Surface Reduction (ASR) Rules: Rule “Block Office applications from creating child processes” (GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A) and “Block Win32 API calls from Office macros” (GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B) can blunt many exploitation techniques. These rules are available in Microsoft Defender for Endpoint.

  • Deploy Microsoft Defender for Office 365: Use Safe Attachments to detonate and analyze Excel files in a sandbox before they reach users. Safe Links can also recheck URLs at click-time.

  • Restrict Macros and Active Content: While this specific CVE does not require macros, disabling automatic macro execution for files from the internet adds defense-in-depth. Configure via Group Policy: “Block macros from running in Office files from the Internet.”

  • Implement Application Guard for Office: This opens untrusted documents in a virtualized container, isolating the host. It can prevent exploitation even if the vulnerability triggers.

  • Educate Users: Remind users not to open attachments from unknown senders and to exercise caution with unexpected files, even from known contacts.

  • Monitor for Exploit Attempts: Use Microsoft Defender for Endpoint’s advanced hunting to look for suspicious child processes spawned by Excel (e.g., cmd.exe, powershell.exe, wscript.exe) or unusual file operations.

Microsoft Defender for Office 365 Protections

If you have Defender for Office 365, the following capabilities specifically help against CVE-2026-44820:

  • Safe Attachments: Malicious Excel files are detonated in a virtual environment. Any attempt to exploit the vulnerability will be blocked, and the file is not delivered to the user.
  • Safe Links: If the malicious file is delivered via a URL in an email or document, Safe Links can scan and rewrite the URL, providing time-of-click verification.
  • Campaign Views: When phishing campaigns distribute the malicious file, Defender aggregates the campaign data, giving admins a clear view of the threat.
  • Automated Investigation and Response (AIR): If a user does open the file and exploitation is detected, AIR can automatically isolate the device, collect forensic data, and reverse malicious actions.

The Bigger Picture: Rethinking CVSS Interpretation

CVE-2026-44820 is a textbook example of why CVSS cannot be used in isolation. The local attack vector masks the fact that the vulnerability is perfectly suited for mass phishing attacks. Organizations that rely solely on CVSS scores to prioritize vulnerabilities might place this below network-exploitable bugs, leading to a dangerous patching delay.

The National Institute of Standards and Technology (NIST) advises that CVSS base score is just one component of risk assessment. Environmental and temporal scores should be adjusted based on your threat landscape. If your organization frequently handles Excel files from external sources, temporarily adjusting the Attack Vector to Network (AV:N) in your internal scoring can more accurately reflect the risk.

Microsoft’s Defender Security Response Team also recommends looking at the “Exploitation More Likely” index, which for CVE-2026-44820 is currently set to "More Likely" due to active exploitation observed in the wild. This index, found in the MSRC advisory, often overrides CVSS base scores in prioritizing patches.

Conclusion

CVE-2026-44820 highlights the semantic divide between technical scoring and real-world threat models. While CVSS correctly labels the attack vector as Local, the vulnerability is, for all defensive intents, a remote code execution flaw. Patching should be expedited, not deferred. Enhanced Office security configurations, robust email filtering, and user awareness remain the best defense until all systems are updated.

Stay updated through the Microsoft Security Response Center and the June 2026 Patch Tuesday guidance for further IOCs and mitigation updates.