Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not fully initialized before being consumed by ole2_validate_sector_chain(), which may result in application crashes or potential information disclosure when processing a crafted XLS file
AnalysisAI
Uninitialized memory consumption in libxls 1.6.3 and earlier exposes server-side applications that parse XLS files to application crashes and potential heap memory disclosure. The flaw resides in the OLE container parser: read_MSAT() allocates memory for the Master Sector Allocation Table without fully initializing it, then passes it to ole2_validate_sector_chain(), which may read uninitialized bytes from the heap. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no authentication or user interaction is required - a remote attacker need only supply a crafted XLS file to an application that uses libxls as a parsing backend. No public exploit code or CISA KEV listing exists at time of analysis; EPSS stands at 0.02% (5th percentile), indicating very low observed exploitation activity.
Technical ContextAI
libxls is a C library for parsing legacy Microsoft Excel (.xls) binary files, which use the OLE2 (Compound Document) container format. The OLE2 format organizes file data into a chain of sectors indexed through the Master Sector Allocation Table (MSAT), which maps the layout of the File Allocation Table (FAT) sectors. The vulnerability maps to CWE-457 (Use of Uninitialized Variable): read_MSAT() allocates a buffer for the MSAT entries but does not zero-initialize or fully populate it before ole2_validate_sector_chain() traverses the structure. Depending on heap state at allocation time, this causes either a crash (when invalid uninitialized values are interpreted as sector pointers) or silent leakage of heap memory contents to the caller, which may propagate to output. Affected versions are confirmed through 1.6.3 per the CVE description; the EUVD-listed affected version field returns 'n/a', providing no additional precision.
RemediationAI
No vendor-released patched version is identified in the available data; the fix reference points to a GitHub issue (https://github.com/libxls/libxls/issues/155) rather than a tagged release or commit, so a released patched version is not independently confirmed at time of analysis. Consumers should monitor the libxls repository for a patch release and upgrade immediately upon availability. As a compensating control, applications can sandbox the libxls parsing process (e.g., via seccomp, a separate subprocess, or containerization) to limit the impact of both crashes and any memory disclosure. Restricting XLS file ingestion to authenticated, trusted sources reduces the effective attack surface aligned with the AV:N/PR:N exposure. Input validation (file magic byte checks, size limits) can reduce malformed-file attack surface but will not prevent exploitation of all crafted inputs. Enabling compiler mitigations such as stack canaries and FORTIFY_SOURCE during build, and enabling ASLR on the host, reduce the likelihood of turning a heap information leak into a more severe exploit primitive.
Same weakness CWE-457 – Use of Uninitialized Variable
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34178
GHSA-hwmf-9wj8-35pw