CVE-2026-55049 is a Microsoft Office heap-based buffer overflow that can lead to remote code execution. Microsoft rates it CVSS v3.1 base 7.8 and temporal 6.8, with a local attack vector, low attack complexity, no privileges required, and user interaction required. The issue is not publicly disclosed and is not known to be exploited in the wild. The attack requires a user to open a malicious Office file, and Microsoft notes the Preview Pane is also an attack vector. Because the vector is local and user interaction is required, enterprise risk is lower than for network-exposed, no-interaction vulnerabilities, but Office document handling remains a relevant phishing-delivery risk. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; local vector, low attack complexity, no privileges required, and user interaction required, with a malicious Office file as the delivery method. - Severity for enterprise: High severity by CVSS, but lower real-world exposure than network-based RCE because exploitation requires local user interaction and is not a remotely reachable service weakness. - Patch status: available; customer action required. Affected systems: - No products listed in source data.