On July 14, 2026, Microsoft released a round of Office security updates that close CVE-2026-55036, a remote code execution (RCE) vulnerability in Microsoft Excel. The flaw carries a CVSS score of 7.8 and can give an attacker full control of an affected system after a user opens a weaponized spreadsheet. Fixes are available for Microsoft 365 Apps, Office 2019, Office LTSC 2021 and 2024, Excel 2016, Office for Mac, and Office Online Server. No active exploitation has been reported, but the broad attack surface and low attack complexity make swift patching essential.

What Actually Changed

CVE-2026-55036 is a buffer over-read (CWE-126) in the Excel parser. When a specially crafted file is opened, the flaw can read memory beyond the intended buffer, potentially leading to code execution with the privileges of the logged-in user. Microsoft’s advisory classifies the attack vector as local (AV:L) with user interaction required (UI:R), meaning an attacker must convince a target to open a malicious document. Despite the “remote code execution” label, exploitation originates from the local machine running Excel, not an exposed network service.

The July 2026 patch addresses the root cause, replacing the vulnerable parsing logic. Although Microsoft has not published detailed technical information about the malformed input or the specific Excel component involved, the fix eliminates the underlying weakness. The company’s Security Update Guide confirms that all affected versions listed below are reliably remediated by the updates.

Affected Products and Minimum Fixed Versions

Product Architecture Fixed Build / KB
Microsoft 365 Apps for enterprise 32-bit, 64-bit Install latest July 2026 update from your channel
Microsoft Excel 2016 (MSI) 32-bit, 64-bit Version 16.0.5561.1001 or later (KB5002886)
Microsoft Office 2019 32-bit, 64-bit Install latest July 2026 update
Microsoft Office LTSC 2021 32-bit, 64-bit Install latest July 2026 update
Microsoft Office LTSC 2024 32-bit, 64-bit Install latest July 2026 update
Microsoft 365 / Office 365 for Mac Version 16.111.26071215 or later
Office LTSC for Mac 2021/2024 Version 16.111.26071215 or later
Office Online Server Version 16.0.10417.20175 or later (KB5002884)

For Click-to-Run installations (Microsoft 365 Apps), build requirements vary by update channel; administrators should confirm that their management tools report the channels’ July compliance state. The standalone MSI-based Excel 2016 fix, KB5002886, supersedes KB5002865 and can be obtained from the Microsoft Update Catalog or Windows Update. KB5002884 for Office Online Server replaces KB5002875.

Microsoft has also clarified that CVE-2026-55036 is only one of multiple Excel vulnerabilities patched in the July 2026 release; the same KB bundles fix several other RCE and information‑disclosure issues. This underscores the importance of deploying the complete package rather than attempting to address individual flaws.

What It Means for You

Home Users and Individual Subscribers
If you use any version of Office listed above, your system is at risk until you apply the updates. Attackers can deliver a malicious Excel file through email, messaging apps, or compromised websites, and simply opening the document—even in preview or protected view—may trigger the exploit. Updating Office closes the door entirely. The process is straightforward: open any Office application, go to File > Account > Update Options > Update Now. For Microsoft 365 subscriptions, the update should be delivered automatically once it rolls out to your update channel, but manually checking ensures you’re protected immediately.

IT Administrators
This vulnerability demands prioritized deployment across all endpoints that regularly process spreadsheets from external sources—email, collaboration platforms, file‑sharing portals, and line‑of‑business applications. The attack complexity is low, and no privileges are required beyond normal user interaction, so a single unpatched machine can become a conduit for lateral movement. Key considerations:

  • Click-to-Run vs. MSI: Microsoft 365 Apps for enterprise receive updates through their assigned channel (e.g., Current Channel, Monthly Enterprise Channel). Validate that your update reporting tools show the correct build for each channel. The absence of the KB5002886 on a device does not mean it’s vulnerable if it’s running a patched Click-to-Run build.
  • Excel 2016 (MSI): Both 32‑ and 64‑bit packages must be deployed. The fixed version is 16.0.5561.1001; check EXCEL.EXE’s file version after installation.
  • Mac deployments: Office for Mac updates are distributed through Microsoft AutoUpdate or MDM. Ensure machines reach version 16.111.26071215. Legacy versions prior to Office 2019/365 may be out of support and should be retired or isolated.
  • Office Online Server: This server‑side product processes documents centrally, so a compromise could have widespread impact. Apply KB5002884 and complete any farm‑update procedures to bring the server to version 16.0.10417.20175 or higher.
  • Non‑standard document processing: Automated reporting services, add‑ins, document‑conversion workflows, and preview generators often invoke Office components silently. Audit these processes and update the underlying Office installations or runtime components.

Developers and Power Users
Custom add‑ins that parse Excel files programmatically should be tested against the updated Office libraries, but the primary fix resides in Microsoft’s binary, so no code changes are required. If you’ve built sandboxed environments, ensure the sandbox’s Office installation is also updated. For Excel JavaScript add‑ins, the vulnerability is in the native parser, not the web‑based runtime, but the host application still needs the patch.

How We Got Here

Buffer over‑read flaws like CWE‑126 have existed for decades, yet they remain a persistent source of security bugs in complex desktop applications. Excel, with its myriad file formats and backwards‑compatibility requirements, relies on parsers that must correctly handle malformed input. A single mistake in bounds checking can leave memory exposed. In this case, Microsoft identified the vulnerability through internal research and promptly released a fix as part of the July 2026 Patch Tuesday cycle.

There is no evidence that CVE‑2026‑55036 was ever exploited in the wild prior to the patch. CISA’s initial assessment echoes this: no known exploitation, and the attack is not readily automatable in a worm‑like fashion. However, the low attack complexity and the prevalence of Excel in business environments make it a prime target for phishing‑based attacks. Once technical details become public—either through reverse engineering or a researcher’s publication—the risk of weaponization rises sharply.

The July 2026 Office updates also include fixes for other Excel vulnerabilities, some of which Microsoft rates as critical. The cumulative nature of these patches means that applying the entire release is the safest course. Historically, delaying Office updates has been a contributing factor in many real‑world compromises, as attackers quickly reverse‑engineer patches and craft exploits.

What to Do Now

  1. Update Immediately
    - Home users: Open any Office app, go to File > Account > Update Options > Update Now.
    - Enterprise admins: Push the July 2026 Office updates via WSUS, Configuration Manager, Intune, or other management tools. For Click‑to‑Run, use the Office Deployment Tool or cloud update policies to enforce the patched build.
    - Excel 2016 MSI: Download KB5002886 from the Update Catalog and deploy.
    - Office Online Server: Install KB5002884 and restart the server farm.
    - Mac: Initiate Microsoft AutoUpdate or push the update via MDM.

  2. Verify Patch Installation
    - Check the file version of EXCEL.EXE or the Office build number. Use the table above as a reference. For Office 365, the build number should match the July 2026 release for your channel.
    - For Office Online Server, verify the server version matches or exceeds 16.0.10417.20175.

  3. Reduce Exposure Until Patches Are Deployed
    - Treat all unsolicited spreadsheets as potential threats. Enable blocking of Office macros from the internet via Group Policy or Intune policy.
    - Ensure that Microsoft Defender, network protection, and email scanning are active and up‑to‑date.
    - Configure Office to open documents from the internet in Protected View or Application Guard for Office (if licensed). Note that these are not guarantees against exploitation, but they raise the bar.

  4. Audit Automated Processing
    - Identify servers, services, and scripts that invoke Excel or other Office components to parse user‑supplied files. Patch those environments as a priority.

  5. Stay Informed
    - Monitor the CVE‑2026‑55036 entry in the National Vulnerability Database and Microsoft’s Security Update Guide for any revision.
    - Watch for updates from CISA and security researchers, as a public proof‑of‑concept may emerge.

Outlook

The immediate risk from CVE‑2026‑55036 is mitigated by applying the July 2026 updates. However, the lack of detailed technical information is a double‑edged sword: it currently hinders attackers, but once the fix is reverse‑engineered, exploit code may appear rapidly. Organizations that defer patching should assume that working exploits will be publicly available within weeks, if not days, of the first detailed write‑up. The next critical signal will be any change in CISA’s exploitation status or a Microsoft revision citing active attacks. Until then, the safest course is to treat this as a high‑priority patch and deploy it without delay.