On July 14, 2026, Microsoft rolled out a critical security fix for a vulnerability in Excel that could let attackers take over your computer just by tricking you into opening a booby-trapped spreadsheet. Tracked as CVE-2026-58618, the flaw is rated \"Important\" with a CVSS score of 7.8 out of 10, and it affects nearly every supported version of Excel across Windows and Mac, as well as Office Online Server.

The bug is a heap-based buffer overflow — a classic memory corruption issue where a maliciously crafted file can cause Excel to overwrite memory, potentially allowing the execution of attacker-supplied code. In plain terms: opening a poisoned Excel document could let someone run any program or command on your PC, steal your files, or install malware, all with the same permissions you have.

Microsoft's Security Response Center published the advisory as part of its regular July Patch Tuesday updates, urging users and administrators to apply the fixes immediately.

Remote Attack, Local Trigger — What That Means

If you read the CVE entry, you might notice something confusing: the title says \"Remote Code Execution,\" but the technical CVSS vector lists the attack vector as \"Local\" (AV:L). Microsoft explains that \"Remote\" refers to where the attacker is located — they can be on the other side of the world, sending out malicious emails or hosting files on the internet. The \"Local\" vector means the exploitation itself happens on your computer: the vulnerability can only be triggered when Excel processes the file locally. In other words, the attacker delivers the payload from afar, but you have to open the file to get infected.

This is a common pattern for document-based attacks. An attacker crafts a weaponized workbook, sends it via email, chat, or a download link, and waits for a victim to open it. The moment Excel tries to parse the malicious data, memory corruption occurs, and if the exploit is designed well, the attacker's code starts running. You don't necessarily need to click a link inside the file or enable macros — simply opening the file can be enough.

The high severity reflects the potential damage: successful exploitation gives an attacker full access to everything your user account can do (confidentiality, integrity, and availability are all rated High). If you're an administrator, the attacker gains total control of your machine. Even with a standard account, a hacker could still steal documents, browser credentials, authentication tokens, and any other data you can access.

Which Versions of Excel Are Affected?

The vulnerability is widespread, covering many generations of Office:

  • Microsoft 365 Apps for Enterprise (current and older builds)
  • Excel 2016 (requires build 16.0.5561.1001 or later to be fixed)
  • Office 2019
  • Office LTSC 2021
  • Office LTSC 2024
  • Microsoft 365 for Mac and Office LTSC for Mac 2021/2024 (fixed in build 16.111.26071215 or later)
  • Office Online Server (fixed in build 16.0.10417.20175 or later, with associated KB5002884 and KB5002886 updates)

If you’re using the click-to-run version of Microsoft 365 (the one installed from your Microsoft account or through Office.com), it should update automatically if you have auto-updates enabled. But perpetual versions like Excel 2016 or Office 2019 require you to manually check for and install updates through Windows Update or the Office app itself.

Enterprise environments also need to pay attention to Office Online Server, which is patched separately. Microsoft’s July update includes specific KB numbers for those server components, and failing to update them could leave web-based Excel features open to attack.

How We Got Here

Heap buffer overflows are an old class of vulnerability, but they continue to pop up in complex software like Office. Attackers love them because they can lead to reliable code execution when exploited correctly. Excel’s file-parsing engine has to handle a multitude of formats — XLS, XLSX, CSV, and many others — each with intricate internal structures that are ripe for fuzzing and manual reverse engineering.

This isn’t the first time Excel has had a file-parsing bug, and it won’t be the last. In recent years, we’ve seen Office vulnerabilities used in ransomware campaigns, targeted espionage, and commodity malware distribution. Just last year, a similar Excel flaw was used to drop Formbook infostealer. The constant drumbeat of Patch Tuesday Office fixes is a reminder that every new or old file you open carries risk.

At the time of publication, CISA reported no known active exploitation of CVE-2026-58618 and noted the flaw is not easily automatable. But that can change quickly. Once patches are released, reverse engineers can compare fixed and unfixed binaries to understand the vulnerability, leading to the development of working exploits, which is why timely updating is critical.

What to Do Right Now

For home users and small businesses:

  • If you use Microsoft 365, open any Office app (Word, Excel, etc.), go to File > Account > Update Options > Update Now. This downloads and installs the latest security fixes for all Office apps.
  • If you have a standalone version like Excel 2016 or Office 2019, run Windows Update and make sure you install all pending Office updates. Alternatively, you can download the latest updates manually from the Microsoft Update Catalog.
  • Until you’ve patched, be extra cautious about opening Excel files from unknown sources. Don’t double-click attachments you weren’t expecting. If you must inspect a file, upload it to a cloud document viewer like Office Online (once updated) or use a sandbox.

For IT administrators:

  • Verify that your update management tools (WSUS, SCCM, Intune, etc.) have deployed the July 2026 updates to all end-user systems. Remember that Windows Update may not push Office updates if you’ve configured separate update paths.
  • Check the build numbers: for Excel 2016, you need at least 16.0.5561.1001; for Office for Mac, 16.111.26071215; for Office Online Server, 16.0.10417.20175. Use the appropriate KB articles for server patching (KB5002884, KB5002886).
  • Consider additional mitigation measures while patches roll out: enable Attack Surface Reduction rules in Microsoft Defender (such as blocking Office applications from creating child processes), ensure Mark of the Web is honored and Protected View is on, and use email filtering to block or quarantine attachments with risky extensions.
  • Educate users: remind them that an Excel file can be dangerous even without macros. Phishing campaigns often leverage newly patched vulnerabilities before everyone has updated.

For Mac users:

  • Microsoft AutoUpdate should offer the fix. You can also manually check for updates from any Office app’s Help menu.

What to Watch Next

Given the severity, security researchers will likely publish detailed analyses of the flaw in the coming weeks. That’s a good thing — it helps the community understand the vulnerability — but it also means proof-of-concept exploits may become public, making unpatched systems an even bigger target.

Keep an eye on Microsoft’s advisory page for any revisions; occasionally, the company expands the list of affected software or releases updated guidance. And as always, the most effective defense is a quick patch turnaround. If you haven’t already, update Excel today.