Microsoft\u2019s June 2026 Patch Tuesday brought a critical security advisory that Excel users on Mac cannot ignore\u2014and cannot patch. The vulnerability, tracked as CVE-2026-44823, is a remote code execution (RCE) flaw in Microsoft Excel. While the advisory covers the entire Office suite, it delivers unwelcome news for Mac users: \u201cSecurity updates for Microsoft Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Microsoft 365 for Mac are not yet immediately available.\u201d This leaves a substantial user base exposed indefinitely.

The language is unusual. Microsoft typically aligns patches across platforms, but here it explicitly warns of a gap. The affected products\u2014Office LTSC 2021 and 2024 (the perpetual-license, long-term servicing channel editions) and the subscription-based Microsoft 365\u2014encompass nearly all modern Office deployments on macOS. For IT administrators and everyday users alike, the advisory raises urgent questions about risk, timing, and protective measures.

What is CVE-2026-44823?

At its core, CVE-2026-44823 allows an attacker to craft a malicious Excel file that, when opened, executes arbitrary code on the victim\u2019s machine. RCE flaws are among the most dangerous because they can give an attacker full control, often without additional authentication. The Excel spreadsheet, a trusted business tool, becomes a Trojan horse.

Microsoft\u2019s advisory provides few technical specifics\u2014no CVSS score or exploit details\u2014but it classifies the flaw as critical. In practice, this could mean a buffer overflow, a misparsed formula, or a poisoned macro design. Attackers typically distribute such files via phishing emails or drive-by downloads. Once executed, the code could install malware, exfiltrate data, or move laterally within a network.

A Glimpse into Excel RCE Mechanics

Excel isn\u2019t just grids and numbers. It supports complex formulas, external data connections, Power Query, older binary formats like .xls, and automation through macros and ActiveX. Each of these features adds parsing complexity\u2014and with complexity, the potential for memory corruption bugs. Researchers have found that subtle flaws in how Excel handles malformed workbook structures, especially in legacy fields, can be leveraged to hijack the execution flow.

When Microsoft patches an RCE on Windows, it often involves updates to the core\u2014sometimes a single DLL or binary. For Mac, though, the fix must be ported to a completely different codebase. Office for Mac uses Apple\u2019s frameworks (like CoreGraphics and the App Sandbox) and is written primarily in C++ and Objective-C. A vulnerability that manifests identically in the file parser may require distinct code changes on macOS. This inherent difference is why Mac patches can sometimes lag.

The Patch Delay: Why Macs Are Missing Out

Office for Mac does not simply port the Windows code; it\u2019s a separate, native macOS application. When a vulnerability is found in shared components\u2014like the Excel calculation engine\u2014the fix often requires parallel development. Sometimes, architectural differences in how macOS handles file parsing or memory management mean the remediation takes longer to implement and test.

The advisory\u2019s phrasing, \u201cnot yet immediately available,\u201d hints that patches are under development but not ready for release. For Microsoft, holding back an incomplete fix is standard practice. A premature patch could introduce regressions or fail to fully close the attack vector.

This isn\u2019t the first time Mac users have been left waiting. Similar delays have cropped up sporadically over the years, from Outlook to Word to Excel itself. Each incident reignites debates about Microsoft\u2019s resource allocation for its non-Windows products and the perceived second-class treatment of macOS in a cross-platform security strategy.

The Anatomy of a Patch Delay

When a vulnerability is reported (or discovered internally), the fix cycle follows a predictable path:

  1. Triage: Microsoft confirms the bug and assesses its severity.
  2. Development on Windows: Engineers create a patch for the primary codebase\u2014often the Windows version, as it serves the largest user base.
  3. Porting to Mac: The Mac team adapts the fix. This may involve rewriting memory-handling routines or re-architecting how the app interacts with macOS security layers like Hardened Runtime.
  4. Testing: Both platforms undergo validation. On Mac, compatibility across macOS versions (Ventura through Sonoma) and Apple Silicon vs. Intel adds complexity.
  5. Packaging and Distribution: Updates for Mac are delivered via Microsoft AutoUpdate (MAU). The team must ensure the delta patch is signed, notarized, and integrates with existing installations.

A hiccup at any stage can push the Mac update out of sync with Windows. The \u201cnot yet immediately available\u201d note strongly suggests that the porting or testing phase is still underway.

Who Is Affected?

The advisory lists three specific products:

  • Microsoft Office LTSC for Mac 2021 \u2013 the long-term servicing channel version, popular in regulated industries that need stability and infrequent feature updates.
  • Microsoft Office LTSC for Mac 2024 \u2013 the newer perpetual-license release, adopted by organizations modernizing their Office estate.
  • Microsoft 365 for Mac \u2013 the subscription suite that receives continuous updates; this is the most widely used version on personal and many corporate Macs.

Noticeably absent is Office 2019 for Mac, likely because it is out of mainstream support. Also missing is any mention of the iOS or iPadOS versions, which might share code but aren\u2019t listed. The focus is squarely on desktop-grade Excel.

Any user or organization relying on these versions to open Excel files\u2014especially .xls, .xlsx, or .xlsm documents from external sources\u2014is currently unprotected.

Real-World Risks

An unvalidated RCE in Excel is a gift for social engineers. Attackers can embed the exploit in invoices, reports, or resumes. One wrong click in a well-crafted phishing email can compromise an entire system. On a Mac, the impact can be equally severe: although macOS has strong built-in security (Gatekeeper, SIP, sandboxing), a successful Office exploit can bypass many of these layers because Excel is a trusted, signed application that users explicitly grant permissions to.

For enterprises, Macs often coexist with Windows machines on the same network. A compromised Mac can serve as a bridgehead to attack servers, cloud resources, or other endpoints. Delayed patching on a high-value target means extended exposure and heightened pressure on IT teams. Industries that handle sensitive data\u2014finance, healthcare, legal\u2014are especially at risk if they run mixed environments.

What Microsoft Has Said (or Not Said)

At the time of writing, Microsoft\u2019s advisory page for CVE-2026-44823 remains the only official communication. The company has not provided a timeline or additional workarounds. The lack of detail is not unusual; many critical vulnerabilities receive sparse initial documentation to prevent clueing in attackers. Still, Mac users are left to interpret the phrase \u201cnot yet immediately available\u201d in the most pessimistic light.

What Can Mac Users Do Now?

Without a patch, defense shifts to mitigation. Microsoft has not released any official workarounds specific to CVE-2026-44823, but general best practices for Office document security apply. The actions below can reduce the attack surface while waiting for the update.

For Individuals

  • Disable automatic opening of attachments. Set Mail to not automatically download or open file attachments. In Outlook, turn off the preview pane to avoid accidental interaction with a weaponized file.
  • Enable Protected View at all times. This isolates risky files, preventing active content from running without explicit user consent. Go to Excel Preferences > Security and ensure Protected View is on for files from the internet, email, and other unsafe locations.
  • Turn off macros and ActiveX by default. Even though this vulnerability might not rely on macros, reducing the macro attack surface is wise. Disable the raising of events for non-trusted locations.
  • Validate file sources. Treat every Excel file from an external or unexpected source as suspect. If you must open a file, use a virtual machine or a cloud-based sandbox service first.
  • Keep Microsoft AutoUpdate active. Check for updates manually at least daily. Patches for Mac could arrive as an out-of-band release at any time. Open MAU from the Help menu in any Office app and select \u201cCheck for Updates.\u201d
  • Consider using a Windows virtual machine or a remote desktop to open untrusted Excel files on a patched Windows instance (once confirmed that the Windows version of Office has received the fix). This physical separation can contain any potential damage.

For Organizations

  • Tighten email filtering rules to strip or quarantine .xls, .xlsx, and .xlsm attachments from unknown senders. Implement DMARC and DKIM to reduce spoofing.
  • Deploy Group Policy or MDM controls (via Jamf, Intune, etc.) to enforce Protected View and disable macros across the fleet.
  • Enable Endpoint Detection and Response (EDR) tools that can spot unusual behavior from Office applications, like unexpected network connections or process child spawns. Configure alerts for any Office app spawning a shell or PowerShell-like process.
  • Restrict the execution of ActiveX controls through preference settings.
  • Educate users about the specific threat of Excel-based phishing. Simulated phishing campaigns can help reinforce the \u201cthink before you click\u201d mindset.

What to Expect Next

Historically, Microsoft has sometimes delivered the Mac patch within days of the Windows release, especially for critical vulnerabilities. The advisory\u2019s wording suggests the update is being actively worked on. It may be included in a second wave of Patch Tuesday updates later in the month, or released as a standalone update via the Microsoft AutoUpdate mechanism.

Mac users should monitor the Microsoft Security Response Center (MSRC) page for CVE-2026-44823, which will be updated once the fix is available. Additionally, the Office for Mac release notes page and the Microsoft AutoUpdate changelog will list the patch when it lands.

The incident reignites the conversation about platform parity in security. Microsoft has made strides in unifying its Office codebases\u2014the Microsoft 365 apps share a considerable amount of underlying logic\u2014but delays like this remind customers that macOS remains a secondary citizen in some respects. Businesses that operate mixed environments must factor such asymmetries into their risk models and incident response plans.

Conclusion

CVE-2026-44823 is a stern reminder that critical vulnerabilities do not wait for patch schedules. For Mac Office users, the advisory\u2019s admission that fixes \u201care not yet immediately available\u201d is both alarming and frustrating. While the Windows world may have already applied its protection, the Mac side is left in a precarious holding pattern.

Until Microsoft ships the update, vigilance is the best defense. Apply every mitigation you can, educate users about the risks of untrusted Excel files, and keep a close eye on the official channels. The patch will come\u2014but in cybersecurity, a delay is always a liability.