Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.
AnalysisAI
Use-of-uninitialized memory in libxls 1.6.3 exposes applications that parse XLS files to potential information disclosure via heap memory leakage. The flaw originates in the OLE layer (ole2_read) and surfaces in xls_parseWorkBook() when processing malformed XLS input, meaning any downstream application or service that accepts and parses XLS files using this library inherits the exposure. With a CVSS score of 5.3 and an EPSS of 0.02% (6th percentile), real-world exploitation probability is low; no public exploit or CISA KEV listing exists at time of analysis.
Technical ContextAI
libxls is a C library for reading Microsoft Excel (XLS/BIFF) binary format files, identified by CPE cpe:2.3:a:libxls_project:libxls:1.6.3:*:*:*:*:*:*:*. The vulnerability is classified as CWE-908 (Use of Uninitialized Resource), a memory safety defect where heap-allocated memory is read before being explicitly initialized. The flaw originates in ole2_read, the component responsible for parsing the OLE2 compound document container format that underlies XLS files. Uninitialized bytes from this layer are subsequently consumed by xls_parseWorkBook(), the primary workbook parsing function. The issue was identified as detectable via MemorySanitizer (MSAN), a compile-time instrumentation tool for detecting uninitialized reads - indicating the defect may not manifest as a crash under normal execution but instead produces undefined behavior or silently leaks heap content. The root cause is a missing initialization of heap-allocated memory before use, which can expose adjacent or stale heap data to callers.
RemediationAI
No vendor-released patch with a confirmed fix version has been identified at time of analysis. The issue is tracked upstream at https://github.com/libxls/libxls/issues/156, which should be monitored for a patched release. Until a fix is available, operators should apply compensating controls: restrict acceptance of XLS files to trusted, authenticated sources only, reducing the attack surface for unauthenticated file submission paths. Applications can sandbox or isolate the libxls parsing process (e.g., via a separate privilege-dropped subprocess or container) so that any leaked heap memory does not expose sensitive application data. Additionally, compiling libxls with -ftrivial-auto-var-init=zero (GCC/Clang) can mitigate uninitialized read risks at the cost of minor performance overhead. Organizations should also audit whether their libxls integration passes any sensitive data through heap allocations prior to XLS parsing calls, as that data could be inadvertently disclosed. Additional context is available via VulDB advisory at https://vuldb.com/vuln/368223.
The read_MSAT_body function in ole.c in libxls 1.4.0 has an invalid free that allows attackers to cause a denial of serv
Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of
Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of
Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of
Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of
Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of
Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of
The read_MSAT function in ole.c in libxls 1.4.0 has a double free that allows attackers to cause a denial of service (ap
An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. Rated high severity (CVSS 8
An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4.A specially crafted XLS
An exploitable stack based buffer overflow vulnerability exists in the xls_getfcell function of libxls 1.3.4. Rated high
An exploitable out-of-bounds write vulnerability exists in the xls_mergedCells function of libxls 1.4. Rated high severi
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34179
GHSA-48jr-3rh3-95w6