CVE-2026-55037 is a Microsoft Excel remote code execution vulnerability caused by a heap-based buffer overflow. Microsoft rates it High severity with a CVSS v3.1 base score of 7.8 and temporal score of 6.8. The attack vector is local (AV:L), attack complexity is low, privileges are not required, and user interaction is required. Microsoft states the attacker must send a malicious Office file and convince a user to open it; the Preview Pane is not an attack vector. Exploit code maturity is unproven, and Microsoft reports no public disclosure and no known exploitation. Enterprise risk is primarily for endpoints where users may open untrusted Excel files, rather than network-exposed services. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts - Exploitation likelihood: Microsoft indicates Exploitation Less Likely; vector context is LOCAL with LOW attack complexity, NO privileges required, and UI required - Severity for enterprise: High technical severity, but lower enterprise exposure than network-reachable flaws because exploitation requires local execution context and user interaction via opening a malicious Office file - Patch status: available; customer action required Affected systems: - No products listed in the source data