{
"title": "Microsoft Patches Excel Flaw That Leaks Data Through Malicious Files—Update Now",
"content": "Microsoft released a security update on July 14, 2026 that fixes an information-disclosure vulnerability in Excel tracked as CVE-2026-55898. The flaw allows attackers to read data from memory beyond the boundaries of a spreadsheet, potentially exposing sensitive information. The patch is part of the July Patch Tuesday cycle and affects virtually every supported version of Microsoft Office across Windows and macOS, plus Office Online Server.

Users and administrators should verify that the update has been applied—not just to Windows but specifically to Office apps—because the vulnerability can be triggered simply by opening a specially crafted file. Microsoft rates the flaw as “Important” with a CVSS 3.1 score of 6.1, and while there’s no evidence of active attacks, the broad attack surface makes it a priority for managed environments.

What Microsoft Fixed in Excel

CVE-2026-55898 is an out-of-bounds (OOB) memory read vulnerability, classified under CWE-125. When Excel processes a malformed workbook, it can read memory locations adjacent to the intended data structure. That extra memory may contain fragments of whatever else was stored nearby—other spreadsheet data, previous session information, or even system-level details—depending on what was occupying those memory pages.

Microsoft’s advisory doesn’t specify exactly what an attacker could recover. The CVSS vector assigns a “Low” confidentiality impact, suggesting the data exposed might be partial and non-deterministic. But any memory disclosure can be dangerous: it can reveal internal application state or serve as a building block for more complex attacks.

The vulnerability also carries a “High” availability impact. That indicates exploitation could crash Excel or render the application unusable temporarily. It’s not remote code execution, so an attacker can’t take over the system, but they could disrupt work or glean information from a crash dump.

The flaw requires user interaction (UI:R in CVSS terms). That means an attacker must convince someone to open a