Skip to main content

libxls CVE-2026-26824

| EUVDEUVD-2026-34178 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-06-03 cve@mitre.org GHSA-hwmf-9wj8-35pw
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 14:26 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 03, 2026 - 20:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not fully initialized before being consumed by ole2_validate_sector_chain(), which may result in application crashes or potential information disclosure when processing a crafted XLS file

AnalysisAI

Uninitialized memory consumption in libxls 1.6.3 and earlier exposes server-side applications that parse XLS files to application crashes and potential heap memory disclosure. The flaw resides in the OLE container parser: read_MSAT() allocates memory for the Master Sector Allocation Table without fully initializing it, then passes it to ole2_validate_sector_chain(), which may read uninitialized bytes from the heap. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no authentication or user interaction is required - a remote attacker need only supply a crafted XLS file to an application that uses libxls as a parsing backend. No public exploit code or CISA KEV listing exists at time of analysis; EPSS stands at 0.02% (5th percentile), indicating very low observed exploitation activity.

Technical ContextAI

libxls is a C library for parsing legacy Microsoft Excel (.xls) binary files, which use the OLE2 (Compound Document) container format. The OLE2 format organizes file data into a chain of sectors indexed through the Master Sector Allocation Table (MSAT), which maps the layout of the File Allocation Table (FAT) sectors. The vulnerability maps to CWE-457 (Use of Uninitialized Variable): read_MSAT() allocates a buffer for the MSAT entries but does not zero-initialize or fully populate it before ole2_validate_sector_chain() traverses the structure. Depending on heap state at allocation time, this causes either a crash (when invalid uninitialized values are interpreted as sector pointers) or silent leakage of heap memory contents to the caller, which may propagate to output. Affected versions are confirmed through 1.6.3 per the CVE description; the EUVD-listed affected version field returns 'n/a', providing no additional precision.

RemediationAI

No vendor-released patched version is identified in the available data; the fix reference points to a GitHub issue (https://github.com/libxls/libxls/issues/155) rather than a tagged release or commit, so a released patched version is not independently confirmed at time of analysis. Consumers should monitor the libxls repository for a patch release and upgrade immediately upon availability. As a compensating control, applications can sandbox the libxls parsing process (e.g., via seccomp, a separate subprocess, or containerization) to limit the impact of both crashes and any memory disclosure. Restricting XLS file ingestion to authenticated, trusted sources reduces the effective attack surface aligned with the AV:N/PR:N exposure. Input validation (file magic byte checks, size limits) can reduce malformed-file attack surface but will not prevent exploitation of all crafted inputs. Enabling compiler mitigations such as stack canaries and FORTIFY_SOURCE during build, and enabling ASLR on the host, reduce the likelihood of turning a heap information leak into a more severe exploit primitive.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-26824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy