Microsoft’s January 2026 Patch Tuesday shipped two Microsoft Excel remote code execution (RCE) bugs worth your attention: CVE-2026-20957 and CVE-2026-20955. Both sit among the six RCE flaws Microsoft rated critical that month, part of a release that closed more than a hundred bugs in total.
What these vulnerabilities are
CVE-2026-20957 is an integer underflow flaw that ends up causing a heap-based buffer overflow (CWE-122). When Excel opens a crafted spreadsheet, an integer arithmetic operation wraps around and corrupts the program’s memory. From there, that corruption can be used to take over the execution flow and run arbitrary code with the privileges of whoever opened the document. It scores CVSS 7.8 (high), with high impact on confidentiality, integrity and availability.
CVE-2026-20955 is an untrusted pointer dereference in Excel that also allows local code execution. It comes from improper handling of pointer values while Excel processes a document built for the purpose, which can hand the attacker control over the program flow.
In both cases the vector is local and needs interaction: the attacker has to get the victim to open a crafted file (.xlsx, .xlsm or legacy formats). The usual route is social engineering, an email or a download that slips in the malicious spreadsheet.
Who is affected
These bugs hit Microsoft Office Excel, the Microsoft 365 Excel apps and Office suites that ship Excel on Windows. Any organization or user who opens spreadsheets coming from outside falls within the exposure range. Excel is a Windows application, true, but keep in mind that Office files also get processed on servers and services such as Office Online Server, which received its own update.
Severity
Microsoft rated both flaws critical in the bulletin. The underlying risk is that a single document opened without thinking can compromise the user’s workstation and serve as the entry point for lateral movement, credential theft or ransomware. No active exploitation of these two CVEs was reported at patch time, unlike other zero-days in the same Patch Tuesday, but being memory-corruption RCEs makes them attractive targets.
Mitigation and patch
The first thing is to apply the January 2026 security updates through Windows Update or the Microsoft 365 / Office update channels. A few more recommendations:
- Keep the Office client current on every machine, not just the operating system.
- Distrust spreadsheets you weren’t expecting and open external files in Protected View.
- Block or restrict macros from external sources through policy.
- Apply least privilege so that code running under the user’s account does as little damage as possible.
If you run a fleet of machines, push these patches to the front of your deployment queue given their critical rating.