Microsoft shipped its July 2026 Office security updates on July 14, and standing chief among them is a patch for a critical Excel vulnerability that lets attackers execute arbitrary code on a victim’s machine. The bug, indexed as CVE-2026-55037, is a heap-based buffer overflow that can be triggered when Excel opens a specially crafted workbook. It carries an Important severity rating and a CVSS 3.1 base score of 7.8, making it a priority for anyone who works with Office files.
What Changed in Excel’s July 2026 Security Update
CVE-2026-55037 is a memory-corruption flaw in the way Excel parses spreadsheet content. When a malicious file is opened, the application writes beyond the bounds of a heap allocation. Under the right conditions, that corruption can be shaped to redirect execution flow, letting an attacker run code in the context of the logged-in user. The vulnerability affects a broad range of Office editions on both Windows and macOS:
| Affected Product | Required Update / Fixed Build |
|---|---|
| Microsoft 365 Apps for Enterprise (32/64-bit, Windows) | Updated through the applicable servicing channel (click-to-run) |
| Excel 2016 (32/64-bit, Windows MSI) | Apply KB5002886 to reach version 16.0.5561.1001 or later |
| Office 2019 / Office LTSC 2021 / Office LTSC 2024 (Windows) | Install the July 2026 security release via click-to-run or MSI |
| Microsoft 365 for Mac / Office LTSC for Mac | Update to version 16.111.26071215 or later |
| Office Online Server | Apply the server update to reach version 16.0.10417.20175 or later |
The fix for Excel 2016’s MSI edition is distributed through the older Windows Installer pipeline, while modern Click-to-Run installations get the patch automatically through their configured update channel. Mac builds receive the fix through Microsoft AutoUpdate. Because the flaw does not affect older, unsupported Office versions, only systems running currently supported editions are listed.
Why “Remote Code Execution” Matters Even with a Local CVSS Score
Microsoft’s advisory tags CVE-2026-55037 as “Remote Code Execution,” yet the CVSS 3.1 vector reads AV:L—Local attack vector. That pairing often confuses but is technically correct. In vulnerability naming, “remote” describes the attacker’s location. An adversary on the other side of the internet can prepare a malicious file and send it to the target. The CVSS Attack Vector, however, rates only the final exploitation step: the Excel process parses the file on the local machine, so the exploitation event itself is local. As Microsoft’s Security Response Center explains, “The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”
What matters for defenders is that the attack chain does not require an authenticated session or a network-facing service. An attacker can deliver the payload through email attachments, shared OneDrive links, Teams messages, or any other channel that places a file in front of a user. Because User Interaction is Required, the victim must open the workbook, but that’s the only hurdle. The Low Attack Complexity and no Privileges Required mean that once opened, the file can potentially seize control without further obstacles.
What This Means for You
For home users and small businesses: If Excel is installed as part of a Microsoft 365 subscription or a one-time purchase of Office 2019/2021/2024, the update should arrive via Microsoft Update or the Office auto-updater. You can verify your build number by opening Excel and navigating to File > Account > About Excel. The security fix will be integrated into the monthly rollup, so if you’re set to receive automatic updates, no extra steps are required. Avoid opening spreadsheets from unknown sources, and use the Protected View feature when files arrive from the internet.
For IT administrators: This vulnerability demands a systematic patching response. Because the attack is document-based, email filters and attachment scanners can reduce risk but won’t eliminate it. Files can enter the organization through trusted accounts, cloud storage, or removable media. Focus on:
- Confirming that Click-to-Run installations are on a servicing channel that has picked up the July 14 fixes.
- For Excel 2016 MSI, ensure KB5002886 is deployed and that the build number is 16.0.5561.1001 or above.
- Using endpoint management tools to report build numbers, not just compliance status.
- Enforcing least-privilege user accounts to limit the impact of a successful exploitation. An attacker who runs code typically inherits the user’s permissions, so a standard account provides some containment.
- Enabling Protected View and Application Guard for Office if your environment supports it; these features can sandbox untrusted files.
For developers and security researchers: The flaw is categorized as CWE-122 (Heap-based Buffer Overflow). Microsoft has not published a proof-of-concept, but the CVSS rating of 7.8 suggests reliable exploitation may be feasible. If you maintain tools that parse Excel files or rely on Excel automation, ensure your Office installation is patched, as interop processes could become infection vectors.
How We Got Here
Excel has long been a favourite target for attackers because of its deep and complex file-format parsing. Over the years, malformed workbooks have been used in targeted phishing and malware distribution campaigns. This heap overflow is the latest in a series of memory-safety bugs found in Office’s core processing engines. Microsoft’s Security Update Guide publishes CVSS metrics now to help organizations prioritize, and the shift toward more transparent scoring has made the “remote” versus “local” discussion especially visible. The July 2026 patch cycle bundles CVE-2026-55037 with other Office fixes, but Microsoft has not disclosed whether the bug is being actively exploited as of the release date.
What to Do Now
- Update Excel immediately. Open any Office application, go to File > Account > Update Options > Update Now, or run Microsoft AutoUpdate on Mac. For managed environments, push the update through your patching infrastructure.
- Verify the build number. In Excel, click File > Account, and look under About Excel. The version number should be equal to or higher than the fixed build listed above for your edition. For Click-to-Run installations, the exact build will vary by channel, but any build released after July 14, 2026, will contain the fix.
- Rely on update channels where possible. If you are still on an MSI-based installation of Excel 2016, consider transitioning to Click-to-Run or a supported subscription to simplify patch management. Microsoft no longer provides mainstream support for Excel 2016, but security patches continue if the product is enrolled in Extended Security Updates (ESU) or if the specific edition is still on the supported list.
- Combine patching with defensive layers. Protected View, attachment sandboxing, email filtering, and user education about opening unexpected files are all valuable, but none substitute for having the fix installed. The vulnerability is in the parser itself, so even a file that passes antivirus scans can trigger the overflow if the underlying code is unpatched.
- Audit Office Online Server deployments. If your organization runs Office Online Server for document viewing and collaboration, apply the server-side update without delay. An attacker could host a malicious workbook that affects all server-side rendering sessions.
Outlook
Microsoft’s move toward software-as-a-service for Office means vulnerabilities like CVE-2026-55037 are patched quickly and delivered automatically to most users. However, the continuing discovery of memory-corruption flaws in mature, codebase-heavy applications like Excel shows that the attack surface remains meaningful. As attackers refine techniques for exploiting heap overflows, patch latency will increasingly determine whether an organization becomes a victim. In the near term, watch for additional security blogs that may publish detailed analysis once the update has been broadly deployed. For now, the strongest signal is the CVSS score: treat this as an urgent, practical risk, and get Excel updated across every device you manage.