CVE-2026-55140 is a Microsoft Office heap-based buffer overflow that can lead to remote code execution. Microsoft rates it as High severity with a CVSS v3.1 base score of 7.8 and temporal score of 6.8. The vector is local (AV:L), low attack complexity, no privileges required, user interaction required, and unchanged scope. Microsoft says the exploit status is not publicly disclosed and not exploited, with exploit code maturity unproven. The FAQ states an attacker must send a malicious Office file and convince the user to open it, and the Preview Pane is also an attack vector. Because this is local and requires user interaction, it is less exposed than a network-reachable, no-interaction issue, but it remains relevant for enterprise users of Office. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; the vector is LOCAL, with LOW attack complexity and REQUIRED user interaction. - Severity for enterprise: High severity, but enterprise risk is constrained by the local attack vector and user interaction requirement; phishing-style delivery of a malicious Office file or Preview Pane interaction increases relevance for end-user environments. - Patch status: available; customer action required. Affected systems: - No products listed in the provided product_tree.