KB5002837 — Security Update for Microsoft Excel 2016

Overview

KB5002837 is a critical security update released on February 10, 2026, for Microsoft Excel 2016. This update addresses multiple high-severity vulnerabilities that could allow remote code execution, information disclosure, and denial of service attacks. The update applies to both 32-bit and 64-bit editions of Excel 2016 running on supported Windows operating systems.

Security Vulnerabilities Addressed

This update resolves four critical security vulnerabilities identified in Microsoft Excel 2016:

CVE-2026-0847: Remote Code Execution in File Parsing

A critical vulnerability in Excel's file parsing engine could allow attackers to execute arbitrary code by convincing users to open specially crafted Excel files. The vulnerability stems from insufficient input validation during file processing, potentially leading to buffer overflows and code execution with the privileges of the current user.

CVE-2026-0848: Memory Corruption in Chart Processing

A memory corruption vulnerability in chart object processing could lead to application crashes or code execution. The issue occurs when Excel processes malformed chart data structures, resulting in use-after-free conditions that attackers could exploit.

CVE-2026-0849: Information Disclosure in Formula Engine

An information disclosure vulnerability in Excel's formula calculation engine could expose sensitive data from memory. The vulnerability allows attackers to craft formulas that read unintended memory locations, potentially revealing confidential information.

Denial of Service in Pivot Table Processing

A denial of service vulnerability in pivot table processing could cause Excel to become unresponsive when handling malformed pivot table data. This could be exploited to disrupt productivity and system availability.

Affected Systems

This security update applies to the following Microsoft Excel 2016 configurations:

Operating System Compatibility

The update is compatible with the following Windows operating systems:

• Windows 10 version 1607 (Anniversary Update) and later
• Windows 11 (all versions)
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Installation Requirements

Before installing KB5002837, verify that your system meets the following requirements:

• Disk Space: Minimum 100 MB free space on the system drive
• Memory: At least 2 GB RAM (4 GB recommended)
• Permissions: Administrator rights required for installation
• Prerequisites: Microsoft Excel 2016 must be installed and activated

Deployment Methods

Automatic Updates

For most users, KB5002837 will be automatically downloaded and installed through Windows Update or Microsoft Update. The installation process typically completes within 5 minutes and does not require a system restart.

Manual Installation

Enterprise administrators can download the update manually from the Microsoft Update Catalog for controlled deployment scenarios. The standalone installer supports silent installation using the /quiet parameter.

Enterprise Deployment

Organizations using Microsoft System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS) can deploy this update through their existing patch management infrastructure. The update is classified as a Critical security update in both systems.

Post-Installation Verification

After installing KB5002837, verify the update was applied successfully:

Get-HotFix -Id KB5002837

You can also verify the Excel version by opening Excel and navigating to File > Account > About Excel. The version should reflect the updated build number.

Security Recommendations

To maximize protection after installing this update:

• Enable Excel's Protected View for files from untrusted sources
• Configure macro security settings to require signed macros
• Regularly update Excel and other Office applications
• Educate users about the risks of opening Excel files from unknown sources
• Implement email security solutions to scan attachments for malicious content