CVE-2026-55018 - Microsoft Office Remote Code Execution Vulnerability - is a use-after-free issue in Microsoft Office that can lead to remote code execution after a user opens a malicious Office file. Microsoft reports no public disclosure and no known exploitation, with exploit code maturity listed as UNPROVEN. The CVSS v3.1 score is 7.8 (High), but the attack vector is LOCAL, requires user interaction, and has no privileges required. Enterprise risk is meaningful for user workstations because the attack is phishing-related and can be triggered through opening a crafted file, but it is not a network-exposed, no-interaction service vulnerability. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts - Exploitation likelihood: Exploitation Less Likely; vector is LOCAL with LOW attack complexity, NO privileges required, and user interaction required - Severity for enterprise: High severity on affected Office endpoints, especially where users can open untrusted files or preview content; lower enterprise-wide exposure than remote/network attacks because exploitation is local and requires user action - Patch status: available Affected systems: - Not listed in source data