Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
AnalysisAI
ONLYOFFICE DocumentServer before 9.3.0 contains an untrusted pointer dereference vulnerability in XLS file processing that enables authenticated remote attackers to leak sensitive memory and bypass ASLR protections. The vulnerability affects XLS conversion workflows through multiple vectors including pictFmla.cbBufInCtlStm manipulation, allowing information disclosure without requiring user interaction. CVSS 5.0 reflects moderate risk given network accessibility and the authentication barrier, though the scope change to CVSS:C indicates potential cross-boundary impact.
Technical ContextAI
The vulnerability exists in ONLYOFFICE DocumentServer's XLS (Microsoft Excel Binary Format) parser, which handles pointer dereferencing during the conversion and processing of binary structures. XLS files contain embedded objects and drawing metadata (pictFmla refers to picture formula cells in Excel), stored in control stream buffers (cbBufInCtlStm). The parser fails to validate pointers before dereferencing them, allowing an attacker to craft malicious XLS payloads that cause the application to read from arbitrary memory locations. CWE-125 (Out-of-bounds Read) classifies this as a read-based memory safety violation. The information leak enables ASLR bypass by exposing heap/stack layout and library base addresses, a critical prerequisite for ROP or code injection chains in real exploits. The XLS format's complexity (legacy binary structures, nested references) increases parser attack surface.
RemediationAI
Vendor-released patch: Upgrade ONLYOFFICE DocumentServer to version 9.3.0 or later immediately. This version resolves the untrusted pointer dereference in XLS processing. For users unable to upgrade immediately, implement compensating controls: (1) Disable XLS document conversion/processing features in DocumentServer if not required for business operations (edit configuration to restrict input formats), accepting loss of Excel compatibility; (2) Restrict XLS file upload permissions to authenticated users with highest trust levels only, using DocumentServer's access control lists or reverse-proxy rules to block anonymous/low-privilege XLS submissions; (3) Deploy AppArmor or SELinux policies on the DocumentServer process to prevent arbitrary memory reads and enforce stricter bounds on buffer operations, with trade-off of potential performance overhead and rule maintenance burden; (4) Run DocumentServer in a sandboxed container with read-only filesystems and memory protections, limiting the value of leaked addresses if the sandbox kernel randomization is independent. Monitor the CHANGELOG.md and official vendor security advisories (https://github.com/ONLYOFFICE/DocumentServer) for patch confirmation before deploying.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23199