CVE-2026-55036 is a Microsoft Excel remote code execution vulnerability described as a buffer over-read. Microsoft rates it with a CVSS v3.1 base score of 7.8 (High) and a temporal score of 6.8. The vector is local attack, low complexity, no privileges required, but user interaction is required. The FAQ states an attacker must send a malicious Office file and convince a user to open it; the Preview Pane is not an attack vector. Microsoft reports no public disclosure and no known exploitation, with exploit code maturity unproven. Because it depends on user opening a file and is not network-exploitable, enterprise risk is primarily tied to phishing and user execution rather than exposed services. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; vector context is LOCAL, LOW attack complexity, NONE privileges required, and USER INTERACTION REQUIRED. - Severity for enterprise: High severity by CVSS, but lower enterprise exposure than network-reachable flaws because exploitation requires local execution and convincing a user to open a malicious Office file. - Patch status: available; customer action required. Affected systems: - No products listed in source data.