Microsoft’s July 2026 security updates deliver a fix for CVE-2026-55138, an Excel information-disclosure vulnerability that can leak sensitive data when a victim opens a malicious spreadsheet. The patch, released on July 14, closes a medium-severity flaw that nonetheless carries a high confidentiality impact, making it a priority for organizations that regularly handle external files in Excel.
What the Flaw Actually Does
CVE-2026-55138 stems from an untrusted pointer dereference (CWE-822) in Microsoft Excel. In simple terms, the software mishandles a memory pointer during file processing, potentially allowing an attacker to access data from the program’s memory space.
Microsoft rates the vulnerability as medium-severity with a CVSS score of 5.5, but the vector tells a more nuanced story: attack complexity is low, no privileges are required, and user interaction is necessary (the user must open or interact with a specially crafted file). The real kicker is C:H—high confidentiality impact. That means a successful exploit exposes substantial data, such as cell contents, hidden sheets, or even cached credentials sitting in memory.
There’s no code execution or system compromise; information disclosure is the sole outcome. But stolen data can include financial models, internal reports, and other proprietary content that spreadsheets often contain. Microsoft has not disclosed which Excel feature triggers the bug, so it’s safe to assume the attack surface could be any workbook, not just macro-laden or externally-linked files.
A Closer Look at the CVSS Vector
The CVSS 3.1 string for CVE-2026-55138 is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. Breaking that down:
- Attack Vector (AV:L): Local—the attacker must deliver a file to the victim’s machine.
- Attack Complexity (AC:L): Low—no special conditions needed beyond normal file opening.
- Privileges Required (PR:N): None—the victim’s existing account level doesn’t matter.
- User Interaction (UI:R): Required—the victim must open or interact with a malicious file.
- Scope (S:U): Unchanged—the exploit stays within the vulnerable component.
- Confidentiality (C:H): High—complete loss of confidentiality within Excel’s process memory.
- Integrity (I:N) and Availability (A:N): No impact on data integrity or system availability.
The “local” and “user interaction” requirements mean this isn’t a wormable remote flaw, but the low complexity and high confidentiality hit make it dangerous for environments where spreadsheets are routinely shared from unknown sources.
Affected Products: More Than Just Desktop Excel
The patch covers a wide swath of Office installations across Windows, macOS, and server editions. Here’s what you need to check:
| Product | Affected Platform | Secure Build | Update Mechanism |
|---|---|---|---|
| Microsoft 365 Apps for enterprise | Windows (32/64-bit) | July 2026 channel-specific build | Click-to-Run update |
| Excel 2016 (MSI) | Windows (32/64-bit) | 16.0.5561.1001 or later | KB5002886 |
| Office 2019 | Windows (32/64-bit) | July 2026 security release | Microsoft Update / WSUS |
| Office LTSC 2021 | Windows (32/64-bit) | July 2026 security release | Microsoft Update / WSUS |
| Office LTSC 2024 | Windows (32/64-bit) | July 2026 security release | Microsoft Update / WSUS |
| Office for Mac (Microsoft 365) | macOS | 16.111.26071215 or later | Microsoft AutoUpdate |
| Office LTSC for Mac 2021 | macOS | 16.111.26071215 or later | Microsoft AutoUpdate |
| Office LTSC for Mac 2024 | macOS | 16.111.26071215 or later | Microsoft AutoUpdate |
| Office Online Server | Windows Server | 16.0.10417.20175 or later | KB5002884 |
Each deployment channel has its own update mechanism, and missing one can leave a gap. Notably, the bug affects Office Online Server, meaning browser-based Excel viewers also need patching. If you run a SharePoint or on-premises Office Online instance, don’t assume your desktop updates cover the server.
What It Means for You
For regular users
If you use Microsoft 365 or a retail version of Office, open any Office application, go to File > Account > Update Options, and click Update Now. For Mac users, open the Microsoft AutoUpdate tool or check the App Store. The fix should arrive automatically if you have automatic updates enabled, but a manual check can’t hurt.
While you wait, treat unexpected spreadsheet attachments with caution—even those from known contacts. Attackers often use compromised email accounts or spoofed addresses to distribute malicious files. Because the vulnerability requires user interaction, skepticism is your best first line of defense.
Security controls like Microsoft Defender SmartScreen and Protected View add layers of defense, but they aren’t guarantee against a determined attacker. Microsoft hasn’t confirmed that these features fully block exploitation, so patching remains paramount.
For IT administrators
You have a heavier lift, especially in mixed environments. Start by auditing your Office deployment models:
- Click-to-Run (Microsoft 365 Apps): Verify devices are on the July 2026 build for their assigned update channel (e.g., Current Channel, Monthly Enterprise). Use Microsoft Configuration Manager, Intune, or third-party tools to confirm.
- MSI-based Excel 2016: Look for KB5002886 installed and Excel.exe version ≥ 16.0.5561.1001. Microsoft’s Download Center offers the standalone package, but note it only applies to MSI installs, not Click-to-Run.
- Office 2019 and LTSC editions: These follow their own update paths. Check for the July security release via your management console.
- Office for Mac: Ensure the Microsoft AutoUpdate agent has deployed build 16.111.26071215. You can verify this in Excel’s “About” dialog (the full version string, not just the major version).
- Office Online Server: Run KB5002884 on your server farm. After installation, confirm the patched version is 16.0.10417.20175 or later using the server’s health status or registry.
Patch testing remains crucial if your organization relies on Excel-based macros, COM add-ins, or financial plugins. Deploy the update to a small ring first, but don’t delay long—this same July package also fixes multiple remote-code-execution flaws in Excel.
Teams that regularly open external spreadsheets—finance, procurement, payroll, sales—should be prioritized. A crafted workbook can easily arrive through email, Teams, or a file-sharing link, and all it takes is one click.
How We Got Here
Excel has long been a target for attackers because of its ubiquity in business environments. Over the years, we’ve seen everything from Outlook-based document attacks (“click this spreadsheet”) to sophisticated exploits chaining multiple vulnerabilities. While CVE-2026-55138 isn’t being actively exploited, according to CISA’s assessment, its class—information disclosure—can be a stepping stone for more damaging campaigns.
Microsoft’s July 2026 Patch Tuesday bundles numerous Excel fixes, and this CVE is part of that batch. The fact that it’s not remotely triggerable without user action tempers the immediate panic, but its high impact on confidentiality is a reminder that even medium-severity bugs deserve prompt attention. The vulnerability was reported through responsible disclosure (likely to Microsoft’s MSRC) and hasn’t been publicly detailed, which reduces the short-term risk of widespread exploitation. However, once a patch is released, reverse engineers can sometimes produce attacks, so patching quickly remains the best policy.
Separate from this CVE, a related Excel attack technique was recently highlighted by TechRadar, where a malicious spreadsheet could interact with AI agents like Copilot to exfiltrate data. That report underscores the importance of keeping Excel fully updated as new features expand the attack surface.
What to Do Now: A Patch Checklist
Step 1: Identify your Office install type.
Run winver (Windows) or check the About dialog (Mac) to see your version. On Windows, you can also look at the installed product list in Settings > Apps. For Office Online Server, check the version in the configuration panel.
Step 2: Apply the correct update for your environment.
- MSI-based Excel 2016: Download and install KB5002886, or use WSUS/SCCM.
- Click-to-Run (Microsoft 365 Apps): Trigger an update from any Office app, or let the automatic updater run. Verify the build number exceeds the July 2026 threshold.
- Office 2019 and LTSC: Use Microsoft Update or your enterprise deployment tool.
- Mac: Open Microsoft AutoUpdate (Help > Check for Updates in any Office app) and install version 16.111.26071215.
- Office Online Server: Install KB5002884 and restart the server components.
Step 3: Verify the patch.
After updating, confirm the Excel version meets the required numbers. For MSI-based Excel 2016, open Excel, go to File > Account > About Excel, and check the version. For Mac, the About dialog shows the full build number. For Office Online Server, you can query the registry or check the administrative dashboard.
Step 4: Educate users.
Send a brief reminder: don’t open unexpected spreadsheets, even with a known sender’s name, without first verifying the legitimacy. This vulnerability alone may not be a wildfire, but similar user-interaction flaws are common, so awareness is a durable control.
Outlook
CVE-2026-55138 is a medium-severity fix, but the combination of easy attack delivery and high data impact makes it a silent threat. With July’s patches now available, the onus shifts to users and administrators to close the gap. Watch for additional Office updates in the coming months, especially as attackers continue to probe spreadsheet applications for path traversal and memory corruption vulnerabilities. For now, a quick update and a healthy dose of suspicion toward unsolicited attachments will keep you protected.