Microsoft has quietly patched a severe vulnerability in Microsoft Office that could allow attackers to execute malicious code on your PC just by getting you to open a specially crafted document. The flaw, indexed as CVE-2026-20955, was disclosed through the Microsoft Security Response Center with a warning that exploitation is possible from a remote location—yet the technical severity score lists the attack vector as “Local,” a disconnect that sometimes leads to dangerous complacency. Here’s what the vulnerability actually does, why the label shouldn’t fool you, and exactly what you need to do to stay safe.

What You Need to Know About CVE-2026-20955

The advisory for CVE-2026-20955 describes a remote code execution (RCE) vulnerability in Microsoft Office, specifically related to how the software parses certain document formats. While Microsoft hasn’t publicly detailed every technical nuance, the pattern is familiar: an attacker can create a malicious file, typically an Excel workbook or another Office document type, that exploits a flaw in the program’s code when opened. Successful exploitation could grant the attacker the same privileges as the current user, potentially leading to total system compromise.

Microsoft has released security updates that correct the underlying issue, and the company’s usual guidance applies: install the latest patches for your version of Office immediately. The fixes are distributed through Windows Update, Microsoft Update, and the Microsoft Update Catalog for enterprise environments. At the time of writing, no active attacks had been publicly confirmed, but the nature of such vulnerabilities means weaponization often follows disclosure—sometimes within days.

For those tracking the Common Vulnerability Scoring System (CVSS), the flaw carries an Attack Vector of Local (AV:L), which might prompt a sigh of relief. But that relief is misplaced. To understand why, a quick detour into the often-misunderstood world of CVSS scoring is necessary.

The CVSS Score: Why ‘Local’ Doesn’t Mean Low Risk

The CVSS metric for Attack Vector (AV) causes endless confusion, and CVE-2026-20955 is a textbook example. The CVE title includes the phrase “remote code execution,” yet the CVSS vector says “AV:L” (Local). The contradiction isn’t an error; it reflects a deliberate distinction in how CVSS measures exploitation conditions versus how vendors communicate threat origin.

Microsoft’s own advisory for this CVE includes an FAQ that clarifies: “The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.” In other words, while the attacker can be anywhere on the internet when they craft and send the malicious file, the vulnerable code must run on your machine, inside the Office application, triggered by you opening the file. That’s why CVSS calls it Local—it’s about where the code execution happens, not where the attacker sits.

This isn’t a Microsoft quirk; it’s standard CVSS practice. The CVSS v3.1 specification explicitly states that document-parsing vulnerabilities should be scored as AV:L “regardless of the method used to distribute such a malicious document.” The rationale is that the vulnerability itself isn’t network-accessible; it requires the victim to perform an action (opening the file) that loads the malicious content into the vulnerable parser.

So, does “Local” mean the risk is low? Absolutely not. Document-based RCEs are among the most commonly exploited vulnerability classes because they marry remote delivery with a high success rate. Sending a booby-trapped email attachment is trivial, and social engineering tricks often convince users to open them. Once the file is opened, the attacker can gain a foothold, potentially moving laterally across a corporate network.

Who’s Affected? The Real-World Impact

CVE-2026-20955 affects any system that runs a vulnerable version of Microsoft Office and processes untrusted documents. That’s a vast population:

  • Home users who receive phishing emails with malicious Office attachments are prime targets. Even if you’re cautious, a well-crafted spear-phishing message can slip through.
  • Enterprise environments face heightened risk because they often have automated systems that parse Office files: email gateways that preview attachments, SharePoint servers that render documents for web viewers, and collaboration tools that generate thumbnails. In these cases, the vulnerable code might be triggered without a user explicitly opening a file, effectively turning the Local vector into a Network-accessible one. Administrators must identify and patch not just desktop Office installations but also server-side components like Office Online Server and Exchange transport agents that handle document parsing.
  • Developers and integrators who embed Office file processing in custom applications or services need to ensure their pipelines use updated libraries.

The common thread is that if your system can open an Office document from an untrusted source, you are at risk. The AV:L designation doesn’t limit the attack surface—it simply describes the technical exploitation path.

Why Document-Based RCEs Remain a Top Threat

This isn’t the first time a document-based RCE has made headlines, and it won’t be the last. Microsoft Office has long been a popular target because of its ubiquity and the complexity of its file formats. Flaws in the way Excel handles formulas, Word processes RTF, or PowerPoint parses media files have been exploited in real-world attacks for years. Notable examples include the infamous CVE-2017-11882, an Equation Editor vulnerability that was exploited for years after a patch because many systems hadn’t updated.

The persistent confusion over CVSS AV:L in document RCEs has practical consequences. Security teams that filter by severity metrics might deprioritize AV:L vulnerabilities, assuming they require physical access. But as we’ve seen, remote delivery makes these bugs just as dangerous as network-exploitable ones. Attackers don’t care about scoring philosophy; they care about results. Consequently, wise defenders treat any RCE in a document parser as critical, regardless of the vector string.

Microsoft has attempted to reduce the attack surface with features like Protected View, which opens files from the internet in a sandboxed, read-only mode, and Application Guard for Office, which isolates untrusted documents in a virtualized container. These features are powerful, but they’re not always enabled by default, and they can sometimes be bypassed by determined adversaries. The safest approach is to eliminate the vulnerability entirely through patching.

How to Protect Yourself and Your Organization

The most effective defense is to apply the security update that addresses CVE-2026-20955. Here’s a step-by-step action plan tailored for different audiences:

For home users:
- Run Windows Update and ensure all Office updates are installed. If you use Office 365 or Microsoft 365, updates are automatic, but you can manually check by opening any Office app, going to File > Account > Update Options > Update Now.
- Treat all unsolicited email attachments with suspicion. Don’t open Office files from unknown senders, and even those from known contacts if they look unexpected. Preview isn’t always safe.
- Enable Protected View: In Office applications, go to File > Options > Trust Center > Trust Center Settings > Protected View, and ensure all three options are checked (files from the Internet, unsafe locations, Outlook attachments). This won’t stop all exploits but adds a valuable layer of defense.
- If you have Microsoft Defender, ensure it’s up to date and running. It can often detect and block malicious documents using cloud-based protection.

For IT administrators:
- Patch management: Deploy the latest Office security updates to all endpoints using your standard tool (WSUS, SCCM, Intune). Verify that the patch for CVE-2026-20955 is installed across the fleet.
- Server-side patching: Don’t forget servers that process Office documents—Office Online Server, SharePoint, Exchange servers with attachment preview, and any third-party applications that leverage Office file parsers. These are often overlooked and can act as pivot points.
- Configure Protected View and Application Guard: Use Group Policy or Intune to enforce Protected View for all documents originating from the internet. If licensed, enable Application Guard for Office to isolate untrusted files in a hardware-backed container.
- Harden email gateways: Ensure your email security solution is stripping active content from attachments, sandboxing suspicious files, and blocking macro-enabled Office files from external sources whenever possible.
- Hunt for signs of exploitation: Monitor endpoints for suspicious Office behavior—for example, Excel spawning PowerShell or cmd.exe, making unexpected network connections, or writing files to unusual locations. Use your EDR to set up detection rules for these patterns.
- Limit privileges: Ensure user accounts operate with least privilege. Standard user accounts can limit the damage if an exploit succeeds, as the attacker won’t have immediate admin rights.

For developers and service operators:
- If your application processes Office files (e.g., for conversion, preview, or data extraction), make sure the underlying Office libraries or third-party components are updated to the patched version. If you rely on server-side automation with Office, isolate these processes in sandboxed environments with minimal privileges.

What Comes Next

History suggests that a publicly disclosed Office RCE will eventually see active exploitation. While no proof-of-concept code was immediately spotted in the wild for CVE-2026-20955, skilled reverse engineers can often craft an exploit from patch analysis within weeks. Microsoft typically works with partners to detect threats, but the cybersecurity community will be watching for any uptick in Office-based attack campaigns.

In the medium term, the conversation around CVSS scoring and its real-world interpretation will likely continue. The CVSS v4.0 standard has introduced some refinements, but the core distinction between attack vector and attacker location remains. For now, the lesson is clear: don’t let a “Local” label lull you into inaction. Patch, isolate, and stay vigilant.