CVE-2026-55039 is a Microsoft Excel Remote Code Execution vulnerability caused by an integer underflow (wrap or wraparound). Microsoft rates it CVSS v3.1 7.8 High, with a temporal score of 6.8. The attack vector is LOCAL, attack complexity is LOW, privileges required are NONE, and user interaction is REQUIRED. The vulnerability can lead to high confidentiality, integrity, and availability impact. Microsoft states it is not publicly disclosed and not exploited, with exploit code maturity listed as UNPROVEN. The issue is phishing-related because an attacker must send a malicious Office file and convince a user to open it. Enterprise risk is lower than network-reachable RCE issues because exploitation requires local execution and user interaction, but it remains important for environments where users handle untrusted Excel files. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts - Exploitation likelihood: Exploitation Less Likely; local attack vector with LOW complexity, NO privileges required, and REQUIRED user interaction - Severity for enterprise: High severity by CVSS, but practical enterprise risk is reduced by the LOCAL vector and required user interaction; main exposure is user-driven document handling rather than internet-facing services - Patch status: available Affected systems: - Not listed in product_tree