On July 14, 2026, Microsoft released a security update for Microsoft Excel that patches a vulnerability capable of silently leaking sensitive data from your spreadsheets. The flaw, identified as CVE-2026-55046, allows an attacker to craft a malicious workbook that, when opened by a user, can read information from areas of memory it should not have access to. Microsoft has rated the vulnerability Important and assigned it a CVSS 3.1 score of 5.5, with high confidentiality impact. The patch covers Excel on Windows, macOS, and Office Online Server, and Microsoft urges all users and administrators to apply the update immediately.

The Flaw: An Out-of-Bounds Read That Leaks Data

CVE-2026-55046 is an out-of-bounds read vulnerability (CWE-125). In simple terms, when Excel processes a specially constructed file, it can be tricked into accessing data beyond the boundaries of a memory buffer. Whatever happens to be stored in that adjacent memory region—temporary data from other parts of the spreadsheet, or even system-level information—could become visible to the attacker. Microsoft’s advisory confirms that the vulnerability has a high confidentiality impact, meaning the leaked data could be highly sensitive. However, it does not allow an attacker to modify files, execute code, or crash Excel; it is purely an information disclosure bug.

The attack vector is local, which means an attacker cannot exploit this flaw over the internet without convincing a user to open a malicious file. In most real-world scenarios, that would involve a phishing email with an Excel attachment or a social engineering campaign that tricks someone into downloading and opening a spreadsheet. Because spreadsheets are a staple of business communication—used for invoices, payroll, financial reports, and data analysis—such attacks can easily blend into everyday workflows.

Importantly, the vulnerability does not require macros or additional user interactions beyond opening the file. Once the workbook is opened, the out-of-bounds read can occur automatically, siphoning data without any visible warning. This makes the flaw particularly insidious; users may not realize anything is wrong.

Which Versions Are Affected?

The patch addresses a wide range of Excel deployments. If you’re using any of the following, you are likely affected and need to update:

  • Microsoft 365 Apps for Enterprise (32-bit and 64-bit on Windows)
  • Microsoft Excel 2016 (32-bit and 64-bit on Windows) — MSI-based installations require KB5002886
  • Microsoft Office 2019 (32-bit and 64-bit on Windows)
  • Microsoft Office LTSC 2021 (Windows)
  • Microsoft Office LTSC 2024 (Windows)
  • Microsoft 365 for Mac — build earlier than 16.111.26071215
  • Office LTSC for Mac 2021 — build earlier than 16.111.26071215
  • Office LTSC for Mac 2024 — build earlier than 16.111.26071215
  • Office Online Server — deployments need KB5002884, updating to version 16.0.10417.20175

For Click-to-Run editions, which include most Microsoft 365 subscription installs and Office 2019/2021/LTSC packaged that way, the fix will roll out via your configured update channel. You can manually check for updates in any Office application under File > Account > Update Options. After the update, Excel’s build number should meet or exceed the fixed versions listed in the advisory.

If you’re still on an older, unsupported version of Office (like Office 2013), you won’t receive this patch. Microsoft’s lifecycle policy means those apps no longer get security fixes, leaving them permanently vulnerable. Upgrading to a supported version is the only long-term fix.

For Home Users: Patch Now and Stay Cautious

If you use Excel at home, the takeaway is simple: apply the July 2026 update as soon as possible. For Microsoft 365 subscribers, updates typically install automatically, but you can prompt an immediate check by opening Excel, clicking on File, then Account, then Update Options, and choosing “Update Now.” Once updated, you can verify your version: on Windows, it should be at least 16.0.5561.1001 for Excel 2016, or a later build for Microsoft 365. On a Mac, check Excel’s About box for version 16.111.26071215 or higher.

While the patch is your best defense, practice healthy suspicion toward unsolicited spreadsheet attachments. Even with the fix, attackers constantly find new vulnerabilities, so never open files from unknown sources. Use Windows’ built-in Protected View, which opens documents from the internet in a sandboxed mode by default. Don’t disable the “Mark of the Web” prompts that warn you about files downloaded from the internet. And consider using Microsoft Defender (free with Windows) for real-time scanning.

For IT Admins: Inventory Every Excel Instance—Including Macs and Servers

For businesses and organizations, patching is more complex because Excel appears in many corners of the IT environment. Here’s a checklist to ensure full coverage:

  1. Start with a complete inventory. Scan for Excel installations on Windows, Mac, and any remote desktop or virtual desktop setups. Pay special attention to Office Online Server (OOS), which often flies under the radar during desktop patch cycles. OOS processes Excel files on the server side for web-based interactions, so unpatched OOS farms can expose data even if desktops are updated.
  2. Deploy the correct patch for each product:
    - For MSI-based Excel 2016 (a common deployment in locked-down enterprise environments), download and install KB5002886 from the Microsoft Update Catalog or through WSUS.
    - For Office Online Server, apply KB5002884, which brings the installation to version 16.0.10417.20175. Test the update in a staging environment first, as OOS patches can sometimes affect custom integrations.
    - For Click-to-Run editions, ensure your update policy is pushing out the latest build from the Monthly Enterprise Channel or Current Channel as appropriate. The July security fixes are included in builds released after July 14, 2026.
    - For macOS, use your mobile device management (MDM) tool or Microsoft AutoUpdate to enforce version 16.111.26071215 or later across all Macs with Office installed.
  3. Validate after deployment. Don’t assume success—spot-check build numbers on a sample of endpoints. For Excel 2016 on Windows, the build should be 16.0.5561.1001 or higher. For Microsoft 365 Apps, compare against the version listed in the Microsoft Update History for your channel. For Macs, the build number is visible in the About Excel dialog.
  4. Don’t treat this as a standalone patch. The July 2026 update for Excel addresses multiple security flaws, including remote code execution (RCE) vulnerabilities beyond CVE-2026-55046. Skipping or delaying the update leaves you exposed to a broader set of threats, not just this information disclosure.

While the patch is rolling out, reinforce your email filters and attachment sandboxing. Configure Microsoft Defender for Office 365 to detonate suspicious attachments in a safe environment. Remind users to report unexpected Excel files, especially those that arrive with generic subject lines like “Invoice” or “Statement.” But remember: these measures are temporary stopgaps. The patch closes the door; everything else is just locking the windows.

How We Got Here: A Quiet Patch Tuesday Fix

CVE-2026-55046 first appeared in Microsoft’s July 14, 2026 Security Update Guide as part of the regular Patch Tuesday release. There was no prior public disclosure, and according to both the Zero Day Initiative and SANS Internet Storm Center, the vulnerability was neither exploited in the wild nor publicly known before the fix shipped. That makes it a standard controlled disclosure, not a zero-day emergency.

Microsoft’s advisory is sparse on technical details—common for a freshly released patch. It doesn’t disclose which specific Excel feature triggers the out-of-bounds read or what kind of data might be leaked. This is partly to give defenders time to apply the update before attackers reverse-engineer the fix. In the coming weeks, as security researchers dig into the patch, expect more analysis to surface, potentially filling in those blanks.

The vulnerability underscores a recurring theme in Office security: even with modern protections like Protected View and AMSI, legacy file formats and complex parsing logic remain a source of exploitable bugs. An out-of-bounds read might sound less frightening than remote code execution, but in the wrong hands, it can be just as damaging—especially in environments where Excel files contain financial models, customer lists, or strategic plans.

What to Do Now: A Three-Step Action Plan

  1. Update all Excel installations immediately. For most users, this means checking for updates manually if auto-update hasn’t already kicked in. For IT departments, roll out the patches through your standard deployment tools after a brief compatibility test with critical line-of-business add-ins.
  2. Verify that the patches took. Spot-check build numbers; don’t rely on update history alone. For OOS, confirm the server health dashboard shows the new version.
  3. Layer defenses while patches propagate. Keep Protected View enabled, block macros from the internet by default, and use Azure Information Protection or sensitivity labels to encrypt or control access to highly sensitive spreadsheets. These methods can limit the blast radius even if an unpatched Excel instance leaks memory contents.

Microsoft has published the official advisory at the Security Response Center portal, which includes a vulnerability-specific FAQ and links to the relevant KB articles. For enterprise admins, the Microsoft Update Catalog provides direct downloads for the standalone packages.

Outlook: What’s Coming Next

No current evidence points to active exploitation of CVE-2026-55046, but that could change. Researchers are now free to analyze the patch and potentially develop proof-of-concept exploits. Historically, the window between a Patch Tuesday release and the first public exploit demonstration has shrunk, so the urgency to apply the update is real.

For organizations that manage a mix of Office versions, this incident is a reminder to consolidate on a supported, easily updatable platform. Microsoft’s Click-to-Run deployment model ensures faster and more consistent updates compared to the manual MSI-based approach. If you’re still running Excel 2016 via MSI, start planning a migration to Microsoft 365 Apps or at least a Click-to-Run version of Office LTSC. It will simplify future patch cycles and reduce the risk of missing critical security fixes.

In the near term, keep an eye on the Microsoft Security Response Center’s blog for any updates on this CVE, including revised exploit assessments or additional advisory notes. And if your organization uses Excel in highly regulated industries—finance, healthcare, defense—consider conducting a quick internal review of what sensitive data might have been exposed in the worst-case scenario. Until you’re fully patched, treat every unexpected spreadsheet as a potential data thief.