CVE-2026-55137 is a Microsoft Excel heap-based buffer overflow that can lead to Remote Code Execution. Microsoft rates it CVSS v3.1 7.8/6.8 (base/temporal) with LOCAL attack vector, LOW attack complexity, NO privileges required, and user interaction REQUIRED. The FAQ says the attacker must send a malicious Office file and convince the user to open it; the Preview Pane is not an attack vector. Microsoft reports no public disclosure and no exploitation, with exploit code maturity UNPROVEN. Enterprise risk is highest for environments where users may open untrusted Excel files, but the local vector and required user interaction reduce exposure compared with network-reachable, no-interaction flaws. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; the vector is LOCAL, attack complexity is LOW, privileges required are NONE, and user interaction is REQUIRED. - Severity for enterprise: High technical severity, but lower real-world exposure than network-based RCE because exploitation requires a user to open a malicious local Office file; phishing-like delivery is relevant. - Patch status: available; customer action required. Affected systems: - No products listed in the provided product_tree.