Microsoft has released a patch for a critical Excel vulnerability that can let attackers run code on your PC—but the severity label is causing head-scratching among security teams. While the advisory calls it a "Remote Code Execution" (RCE) flaw, the official CVSS score says the attack vector is "Local," not "Network." That's not a mistake. It's a distinction that matters for how you prioritize and defend against the threat.

What the Vulnerability Actually Does

The bug, tracked as CVE-2026-20955, is a memory corruption issue in Microsoft Excel. When you open a specially crafted spreadsheet, the flaw can be triggered to allow an attacker to execute arbitrary code under your logged-in user's permissions. If you have admin rights, they get admin access. If not, they still get a foothold to run malicious commands, drop malware, or steal data.

Attackers can deliver the booby-trapped file through the usual channels: an email attachment, a download link, a shared cloud folder, or even a USB drive. The attack requires you to open the file—or, in some cases, simply preview it in Outlook or File Explorer—but you won't see anything suspicious. The exploit can work silently.

Microsoft addressed the issue in its latest Patch Tuesday updates. The advisory covers multiple Excel versions, including Office 2016, Office 2019, Office 2021, and Microsoft 365 Apps. If you're using any of these, the update is already available via Windows Update or your organization's patch management system. You can find the specific KB numbers and download links on the Microsoft Security Response Center's (MSRC) page for CVE-2026-20955.

Why the RCE Label and CVSS Score Don't Match

Here's where the confusion starts. Microsoft's advisory headline reads "Microsoft Excel Remote Code Execution Vulnerability." But when you look at the technical CVSS vector, you see AV:L—Attack Vector: Local. For anyone used to triaging vulnerabilities, "Remote Code Execution" usually screams "wormable network attack," like a BlueKeep or a SharePoint exploit that can be hit over TCP without any user action. An AV:L, on the other hand, suggests you need to be sitting at the keyboard to exploit it.

So which is it?

Microsoft's FAQ entry for this CVE spells it out plainly: "The word Remote in the title refers to the location of the attacker." The CVSS Attack Vector, they explain, is about where the vulnerable code lives and how it gets triggered. In this case, the bug is in the Excel parser that runs locally on your PC. Exploitation happens when that local process chokes on a malicious file. The attacker might be halfway around the world, but the payload only fires once it's on your machine and you open the file. That's why CVSS scores it as AV:L—Local, with User Interaction required (UI:R).

This isn't a new debate. For years, Microsoft and other vendors have used "Remote Code Execution" as an impact statement, not a technical description of the network attack surface. They're answering the question: "What can an attacker accomplish?"—namely, run code on your box from a remote starting point. The CVSS score answers a different question: "How is the vulnerable component accessed?"—namely, through a local file operation.

Both labels are correct in their own context. The problem is that many organizations automate patch prioritization based on keywords like "RCE," and they might mistakenly treat this as a network-facing emergency, or, conversely, dismiss it as low-risk because "Local" sounds less severe. Neither approach is right.

Who Is at Risk—and How Badly

If you're a home user who occasionally opens spreadsheets from email or downloads them from the web, you are absolutely at risk. The silver lining is that the exploit requires you to open the file, so standard phishing awareness helps. But modern attacks are sophisticated enough to make that file look like a legitimate invoice, resume, or bank statement. And if your email client previews attachments automatically—as Outlook does by default—you might never even double-click the file to get compromised.

For businesses, the picture is more complicated. A user opening a weaponized Excel file can be the entry point for ransomware, credential theft, or lateral movement. And if your organization runs any server-side service that parses Excel files—like an email gateway that generates previews, a document conversion service, or a content indexing engine—that service might be directly reachable over the network. In such a scenario, an attacker could send a malicious file to that service without any user interaction, effectively turning the AV:L bug into a practical network attack. The CVSS guidance is clear: if the vulnerable component is bound to a network service, it should be scored as AV:N. So, for those edge cases, you need to assess your own exposure separately.

The Backstory: Office Bugs and Scoring Quirks

Office vulnerabilities have always walked this tightrope between attacker location and exploit delivery. The infamous Follina attack in 2022 exploited a Windows MSDT flaw via a Word document called remotely, but the initial trigger was still a local file open. The EternalBlue-style wormable SMB exploits were genuinely network-based. CVE-2026-20955 sits firmly in the file-parsing camp.

CVSS v3, the scoring standard, was designed to bring consistency to vulnerability severity ratings. But its stringent definitions can clash with plain-language advisory labels. The FIRST.org documentation states explicitly that vulnerabilities requiring a user to open a file are scored as Local, even if the file comes from a remote source. That's why you'll see many Office RCEs with AV:L/UI:R vectors.

Microsoft's advisory FAQ for this CVE is a near-verbatim copy of language they've used since at least 2020. They've been consistent: the title is about the attacker's location, not the exploit's network protocol. Yet, version managers and SOC analysts still trip over the discrepancy regularly.

Your Patch-and-Protect Action Plan

Step one is obvious: install the patch. If you manage a fleet of endpoints, deploy the update as soon as your testing allows. For Microsoft 365 Apps, updates are delivered via auto-update; for volume-licensed versions, grab the cumulative update from the Microsoft Update Catalog.

But patching alone isn't a silver bullet. The real risk is that someone opens a malicious file before the update is applied, or that a zero-day variant appears. So, harden your environment now:

  • Enable Protected View for all files from the internet. In Excel's Trust Center, ensure all three Protected View checkboxes are on: files originating from the internet, unsafe locations, and Outlook attachments. This isolates the file in a sandbox and blocks active content.
  • Configure Attack Surface Reduction (ASR) rules. If you use Microsoft Defender, turn on the rule "Block Office applications from creating child processes" (rule ID 3B576869-A4EC-4529-8536-B80A7769E899) and the rule for "Block all Office applications from creating child processes" (D4F940AB-401B-4EFC-AADC-AD5F3C50688A). Test in audit mode first, then enforce.
  • Disable Outlook's preview pane for high-risk user groups. This adds an extra layer of defense, since some exploits can trigger on preview without opening the file. You can do this via Group Policy or user configuration.
  • Use Application Guard for Office where available (it requires specific Windows editions and configurations). It completely isolates documents in a virtualized container.
  • Scan file-exchange and email systems for any server-side Excel processing. If you have a service that automatically converts, previews, or indexes spreadsheets, prioritize patching and hardening those servers first.
  • Update your vulnerability management automation. Don't rely on headline keywords alone. Parse the CVSS vector to extract the actual Attack Vector, User Interaction, and Privileges Required. Adjust your scoring rules so that "RCE" doesn't automatically mean "Critical" when the vector is AV:L/UI:R, but also remain aware of the delivery context.
  • Train users to recognize phishing and to be extremely suspicious of unexpected Excel attachments. No amount of tech can entirely replace good user judgment.

What Comes Next

CVE-2026-20955 is unlikely to be the last time we see this labeling head-scratcher. Microsoft is investing in more secure defaults—like Office macros being blocked by default—but the fundamental architecture of document parsing remains a rich attack surface. Expect more of these "RCE/Local" advisories in the future.

Also, keep an eye on the MSRC page for this CVE over the coming weeks. If active exploitation is detected, Microsoft will update the advisory with notes on known attack campaigns. In the meantime, take the steps above, patch, and harden. The vulnerability is real and dangerous, but your defenses don't have to be confusing.