Skip to main content

Onlyoffice Documentserver CVE-2026-41034

| EUVDEUVD-2026-23199 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-16 mitre
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 17, 2026 - 15:38 nvd
Patch available
Patch available
Apr 16, 2026 - 07:01 EUVD
Analysis Generated
Apr 16, 2026 - 06:40 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 06:30 euvd
EUVD-2026-23199
Analysis Generated
Apr 16, 2026 - 06:30 vuln.today
CVE Published
Apr 16, 2026 - 06:06 nvd
MEDIUM 5.0

DescriptionCVE.org

ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.

AnalysisAI

ONLYOFFICE DocumentServer before 9.3.0 contains an untrusted pointer dereference vulnerability in XLS file processing that enables authenticated remote attackers to leak sensitive memory and bypass ASLR protections. The vulnerability affects XLS conversion workflows through multiple vectors including pictFmla.cbBufInCtlStm manipulation, allowing information disclosure without requiring user interaction. CVSS 5.0 reflects moderate risk given network accessibility and the authentication barrier, though the scope change to CVSS:C indicates potential cross-boundary impact.

Technical ContextAI

The vulnerability exists in ONLYOFFICE DocumentServer's XLS (Microsoft Excel Binary Format) parser, which handles pointer dereferencing during the conversion and processing of binary structures. XLS files contain embedded objects and drawing metadata (pictFmla refers to picture formula cells in Excel), stored in control stream buffers (cbBufInCtlStm). The parser fails to validate pointers before dereferencing them, allowing an attacker to craft malicious XLS payloads that cause the application to read from arbitrary memory locations. CWE-125 (Out-of-bounds Read) classifies this as a read-based memory safety violation. The information leak enables ASLR bypass by exposing heap/stack layout and library base addresses, a critical prerequisite for ROP or code injection chains in real exploits. The XLS format's complexity (legacy binary structures, nested references) increases parser attack surface.

RemediationAI

Vendor-released patch: Upgrade ONLYOFFICE DocumentServer to version 9.3.0 or later immediately. This version resolves the untrusted pointer dereference in XLS processing. For users unable to upgrade immediately, implement compensating controls: (1) Disable XLS document conversion/processing features in DocumentServer if not required for business operations (edit configuration to restrict input formats), accepting loss of Excel compatibility; (2) Restrict XLS file upload permissions to authenticated users with highest trust levels only, using DocumentServer's access control lists or reverse-proxy rules to block anonymous/low-privilege XLS submissions; (3) Deploy AppArmor or SELinux policies on the DocumentServer process to prevent arbitrary memory reads and enforce stricter bounds on buffer operations, with trade-off of potential performance overhead and rule maintenance burden; (4) Run DocumentServer in a sandboxed container with read-only filesystems and memory protections, limiting the value of leaked addresses if the sandbox kernel randomization is independent. Monitor the CHANGELOG.md and official vendor security advisories (https://github.com/ONLYOFFICE/DocumentServer) for patch confirmation before deploying.

Share

CVE-2026-41034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy