Microsoft dropped a security fix on July 14, 2026, killing a bug in Excel that attackers can exploit to run malicious code on your machine—provided they can convince you to open a booby-trapped file. Labeled CVE-2026-56156, the vulnerability earned a CVSS 3.1 base score of 7.8, the high end of the severity scale, and leaves every current Office edition exposed until patched.
What the flaw actually does
The root cause is a heap-based buffer overflow. When Excel parses a specially crafted workbook, it can overwrite memory in a way that allows an unauthorized attacker to take control of the program’s execution flow. Microsoft’s advisory notes that the attacker doesn’t need existing credentials or elevated privileges on the target system, and the attack complexity is low—meaning exploit code can likely be reused reliably once developed.
The CVSS vector spells out the conditions: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In plain terms, the vulnerability is triggered through local file processing (you open a document), no authentication is required, but the attacker needs you to perform an action. If the exploit succeeds, the impact on confidentiality, integrity, and availability is high.
This is not a “remote” flaw in the sense of a network service that an internet scanner can find. Excel doesn’t listen for incoming connections. Instead, the attack chain depends on Excel running on your device and crunching through malicious data—exactly what happens when you double-click an attachment or download a spreadsheet from a shared link.
Microsoft’s own Security Update Guide answers the inevitable head-scratcher: why label it remote code execution when the CVSS vector says Local? The answer, they explain, is that “Remote” describes the attacker’s location, not the attack delivery method. The same class of bug is sometimes called arbitrary code execution (ACE). The attacker may be in a different country, but the exploit itself requires local file parsing.
How an attack would play out
Think of a typical phishing email: an urgent invoice, a “missed delivery” notice, or a salary report disguised as an internal HR memo. The attachment looks like a legitimate Excel workbook, maybe with the filename “2026-07-Invoice.xlsx” or similar. When you open it, the corrupted data triggers the heap overflow and the attacker’s code runs in your user context.
The infected file doesn’t need macros or active content prompts; a successful exploit hijacks Excel before any security warning appears. What the attacker does next depends on their goal—stealing local documents, dropping ransomware, installing a backdoor, or pivoting to corporate resources. Because the code executes with your rights, it inherits your file shares, cloud drive sync, and application access.
The “Required User Interaction” (UI:R) element is critical: an attacker can’t push code onto your PC without you opening something. But for businesses that exchange spreadsheets daily, the barrier is low. Payroll, procurement, sales forecasts, and financial models all travel by email, Teams, and SharePoint. Attackers know this and tailor lures to match.
Which versions are affected—and how to check yours
The CVE record lists an unusually broad set of targets:
- Microsoft 365 Apps for Enterprise (both 32- and 64-bit Windows editions)
- Office LTSC 2021 and Office LTSC 2024 (Windows, both architectures)
- Office 365 for Mac
- Office LTSC for Mac 2021 and 2024
For Mac users, the fixed build is explicitly identified as version 16.111.26071215 or later. On Windows, the story is more nuanced because Microsoft 365 Apps update through channels (Current, Monthly Enterprise, Semi-Annual Enterprise) and patches land at different cadences. The July 14 release applies to all supported channels, but administrators need to verify that devices actually picked up the update.
Here’s how to check your Excel version:
- Open Excel, go to File > Account > About Excel. The build number appears at the top.
- For Windows, any build dated July 14, 2026, or later is patched; the actual build number varies by channel.
- For Mac, click Excel > About Excel and confirm the version is 16.111.26071215 or higher.
Home users who leave automatic updates on (the default) should already have the fix. If you’ve paused updates, head to File > Account > Update Options > Update Now and let it install.
Defense layers that still help (but don’t skip the patch)
Until you confirm the update is applied, existing Office security mechanisms reduce exposure. Protected View opens files from the internet in a sandboxed mode with limited rights—editing is blocked and active content is disabled. While a sophisticated heap overflow might breach Protected View, it raises the exploitation bar markedly.
Microsoft Defender’s network-protection and cloud-delivered protection features can also intercept known exploit patterns if the malicious file is delivered via common vectors. Attachment filtering in email gateways, Safe Links in Defender for Office 365, and SmartScreen checks in browsers add more friction. But none of these are foolproof; the update eliminates the root cause.
For organizations, a practical playbook looks like this:
1. Inventory Office installations with endpoint management tools to flag any unpatched instances.
2. Force an update scan from the Office client or push the update via Intune/ConfigMgr for managed devices.
3. Double-check Mac endpoints separately; they often escape Windows-centric patch audits.
4. Remind employees to treat external spreadsheets with caution, especially when the sender’s identity isn’t verified out-of-band.
If you can’t patch immediately, consider enforcing Protected View for all documents originating from the internet (File > Options > Trust Center > Trust Center Settings > Protected View). You can also block Excel from running altogether on high-risk machines until updates are deployed, but that’s a blunt instrument for most shops.
Why Excel memory bugs still matter in 2026
Office memory-corruption flaws aren’t new, yet they remain a favored attack path. Spreadsheets carry financial data, customer lists, and proprietary calculations—ideal for reconnaissance or extortion. Unlike browser vulnerabilities, which often receive aggressive patching and sandboxing, many organizations still run Office with fewer restrictions because business processes rely on complex macros, add-ins, and legacy formats.
The CVSS score of 7.8 places CVE-2026-56156 squarely in the “patch now” category for most enterprises. The low attack complexity and absence of privilege requirements mean that a working exploit might circulate in underground forums within days of the advisory. While no active exploitation was reported at the time of the update, July’s Patch Tuesday bundle—often targeted by reverse engineers—can quickly change that.
It’s also worth noting that the “Local” vector shouldn’t lull anyone into underestimating the danger. CVSS defines Local as a component that isn’t attacked through a network stack; it doesn’t mean a local user or physical access. The FIRST CVSS user guide explicitly includes “the attacker relies on a user to open a malicious document” as a scenario for AV:L. So the high score accurately reflects the risk: one click and a skilled adversary owns your session.
What to do right now
For individual Windows users: Open any Office app (Word or Excel), click File > Account > Update Options > Update Now. Restart Office applications afterward. Verify the build number.
For Mac users: Go to the App Store or use Microsoft AutoUpdate (usually in /Library/Application Support/Microsoft/MAU2.0) to install Office updates. Ensure Excel shows version 16.111.26071215 or later.
For IT admins: Audit your Office fleet using Microsoft 365 Apps admin center, Intune, or SCCM reporting. The patch shipped under the standard July 14 security releases; confirm that your update channel isn’t paused and that devices have synced. If you use Office Deployment Tool, refresh your configuration XML to the latest build and redeploy.
For security teams: Update detection rules in your SIEM or EDR to flag old Excel builds (before July 14, 2026) as a compliance priority. Monitor proxy logs for suspicious connections from Excel to unknown IPs, which could indicate post-exploitation callbacks.
What to watch next
Microsoft rarely isolates a single memory-safe defect; the July 2026 round included multiple fixes for Office applications. Review the full release notes for Word and Outlook patches that may address similar parsing flaws. Also watch for proof-of-concept code appearing on GitHub or Twitter—once a reliable exploit surfaces, the threat level for unpatched systems spikes immediately. If your organization lags in Office patching because of add-in compatibility fears, now is the time to test and break that cycle. The June and July 2026 clusters show that attackers still find fertile ground in document-based attacks.