CVE-2026-55899 is a Microsoft Excel stack-based buffer overflow that can lead to remote code execution. Microsoft rates it at CVSS v3.1 base 7.8 and temporal 6.8, with a LOCAL attack vector, LOW attack complexity, no privileges required, and user interaction required. The title describes remote code execution, but the provided FAQ states the attack is carried out locally and requires the victim to open a malicious Office file. Microsoft reports no public disclosure and no known exploitation, with exploit code maturity listed as UNPROVEN. This is a phishing-related local execution issue rather than a network-exposed service vulnerability, so enterprise risk is higher for users who may open untrusted Office files than for exposed server services. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Microsoft rates this as Exploitation Less Likely; the vector is LOCAL and user interaction is REQUIRED, consistent with a malicious Office file being opened. - Severity for enterprise: High severity by CVSS, but lower enterprise exposure than network-reachable flaws because exploitation is local and requires user action. Risk is concentrated in client endpoints where users handle Office documents. - Patch status: available; customer action is required. Affected systems: - No products listed in the provided product_tree.