Microsoft’s July 2026 security updates include a fix for an Excel vulnerability that seems, at first glance, less dangerous than its title suggests. The flaw, tracked as CVE-2026-55048, is officially classified as a remote code execution (RCE) —yet the accompanying detailed metrics label the attack vector as “local.” This contradiction has confused patch managers before. The bottom line: an attacker can still send you a booby-trapped spreadsheet from across the Internet, and opening it could hand over control of your PC. Here’s what happened, why the label matters, and exactly how to protect yourself.

The July 2026 Excel Patch: What Actually Got Fixed

Published on July 14, 2026, the advisory from Microsoft’s Security Response Center rates CVE-2026-55048 as Important with a CVSS 3.1 score of 7.8. The underlying issue is an integer overflow or wraparound that can lead to a heap-based buffer overflow when Excel processes malformed file content. An attacker who crafts a special workbook and convinces a user to open it could execute arbitrary code with the same privileges as the logged-in user. No authentication or prior access is needed—just a successful phish or a careless click.

The flaw affects a broad swath of Office editions:

  • Microsoft 365 Apps for Enterprise
  • Office 2019 (MSI and Click-to-Run)
  • Office LTSC 2021
  • Office LTSC 2024
  • Excel 2016 (MSI and Click-to-Run)
  • Office Online Server
  • Office for Mac (supported versions)

Specific vulnerable builds include Excel 2016 prior to version 16.0.5561.1001, Office Online Server before 16.0.10417.20175, and Office for Mac earlier than 16.111.26071215. For MSI-based Excel 2016, the fix arrived in KB5002886; Microsoft 365 and Office subscriber editions received the patch through their usual update channels.

Why This Bug is Labeled ‘Remote’ but Requires Local Action

Anyone reading the CVSS vector (AV:L) might assume an attacker must already be sitting at your machine. That’s not the case. Microsoft clarifies that “remote” in the CVE title refers to the attacker’s location—someone who can prepare and deliver the malicious file from afar. The attack itself is carried out locally because Excel processes the booby-trapped workbook on your own computer.

Think of it this way: the attacker doesn’t need an account on your PC. They can email you a file, share it via Teams or OneDrive, or host it on a download site. The moment you open it in a vulnerable Excel, the code path triggers locally, and the attacker’s payload runs. The “attack vector: local” metric simply acknowledges that exploitation relies on Excel executing code on the target device, not on an over-the-network service. This is a classic user-interaction-required RCE—the most common type for Office macros and document-based attacks.

What This Means for You

For Everyday Excel Users

If you use Excel at home or at work, treat this as a reminder that opening unsolicited spreadsheets is dangerous—even from people you know, if their account was compromised. The patch eliminates the vulnerability, but until you apply it:

  • Never open Excel files from untrusted sources.
  • Pay attention to Protected View warnings—they exist because a file originated from the internet.
  • Don’t disable security features like Mark of the Web just to speed up your workflow.

For IT Administrators

The AV:L rating sometimes causes vulnerability scanners to flag this issue as “local” and deprioritize it. Don’t fall into that trap. A weaponized spreadsheet can land in your users’ inboxes tomorrow. Because exploitation requires no privileges (PR:N) and low attack complexity (AC:L), your patching cadence should treat this as a standard critical Office update.

  • Push the July 2026 Office security updates to all endpoints immediately.
  • Verify that your deployment covers both MSI-based installs and Click-to-Run channels—the fix comes in different packages.
  • Review your mail-flow rules: if possible, filter attachments with dubious file extensions (e.g., .xlsm, .xlsb) from external senders.

For Mac Users

Office for Mac is also affected. Check for updates through Microsoft AutoUpdate or the Microsoft 365 app. The fixed version is 16.111.26071215 or later. Apple’s built-in security layers (Gatekeeper, XProtect) provide some defense, but they are no substitute for patching the application itself.

How We Got Here

Confusion over “remote” vs “local” in CVSS vectors has dogged Office advisories for years. Microsoft added an explicit FAQ to its Security Update Guide after similar questions arose for earlier Excel and Word flaws. The distinction, as the company explains, is that RCE describes the attacker’s firing position, while attack vector describes where the vulnerable component does its processing.

CVE-2026-55048 is the latest in a long line of Office memory-corruption bugs that rely on user interaction. Notable examples include the Follina exploit chain (CVE-2022-30190) and a raft of Outlook preview-pane RCEs. While this particular flaw wasn’t publicly disclosed or exploited at the time of patching, history shows that details often leak once reverse engineers compare before-and-after binaries. Patch now, before that happens.

What to Do Right Now

Here’s your step-by-step action plan:

  1. Identify affected systems – Scan your environment for Office installations running any version older than the fixed builds mentioned above. For guidance, consult Microsoft’s official advisory for the exact KB numbers per product.
  2. Deploy updates – Use Windows Update, WSUS, Microsoft Endpoint Configuration Manager, or your third-party patch tool to push the July 2026 Office security updates. For Microsoft 365 Click-to-Run clients, the update is delivered automatically, but you can force it by clicking File > Account > Update Options > Update Now.
  3. Verify the fix – For Excel 2016 MSI, build 16.0.5561.1001 or later indicates the patch is installed. On other editions, check the version number under File > Account > About Excel.
  4. Harden user endpoints – Even after patching, ensure macros from the internet are blocked by default (a setting already enabled in recent Office builds). Reinforce Protected View via Group Policy if you manage a domain.
  5. Educate users – Remind staff to scrutinize unexpected spreadsheets, especially those asking to enable editing or content.

Outlook

No active exploits have been reported yet, but attackers will likely reverse-engineer the patch and develop working proofs of concept within weeks. Because the CVSS temporal score is unchanged, the severity could jump once exploits appear in the wild. Microsoft typically releases Micropatches or Intune policies for rapid deployment when a threat emerges—watch the MSRC blog for updates.

For now, the most important thing is to treat CVE-2026-55048 as a genuine remote-code-execution risk, get the update installed on every copy of Excel you manage, and keep an eye out for any signs of active weaponization.