Skip to main content

libxls EUVDEUVD-2026-34179

| CVE-2026-26825 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-06-03 cve@mitre.org GHSA-48jr-3rh3-95w6
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 18:52 vuln.today
CVSS changed
Jun 04, 2026 - 18:52 NVD
5.3 (MEDIUM)
CVE Published
Jun 03, 2026 - 20:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.

AnalysisAI

Use-of-uninitialized memory in libxls 1.6.3 exposes applications that parse XLS files to potential information disclosure via heap memory leakage. The flaw originates in the OLE layer (ole2_read) and surfaces in xls_parseWorkBook() when processing malformed XLS input, meaning any downstream application or service that accepts and parses XLS files using this library inherits the exposure. With a CVSS score of 5.3 and an EPSS of 0.02% (6th percentile), real-world exploitation probability is low; no public exploit or CISA KEV listing exists at time of analysis.

Technical ContextAI

libxls is a C library for reading Microsoft Excel (XLS/BIFF) binary format files, identified by CPE cpe:2.3:a:libxls_project:libxls:1.6.3:*:*:*:*:*:*:*. The vulnerability is classified as CWE-908 (Use of Uninitialized Resource), a memory safety defect where heap-allocated memory is read before being explicitly initialized. The flaw originates in ole2_read, the component responsible for parsing the OLE2 compound document container format that underlies XLS files. Uninitialized bytes from this layer are subsequently consumed by xls_parseWorkBook(), the primary workbook parsing function. The issue was identified as detectable via MemorySanitizer (MSAN), a compile-time instrumentation tool for detecting uninitialized reads - indicating the defect may not manifest as a crash under normal execution but instead produces undefined behavior or silently leaks heap content. The root cause is a missing initialization of heap-allocated memory before use, which can expose adjacent or stale heap data to callers.

RemediationAI

No vendor-released patch with a confirmed fix version has been identified at time of analysis. The issue is tracked upstream at https://github.com/libxls/libxls/issues/156, which should be monitored for a patched release. Until a fix is available, operators should apply compensating controls: restrict acceptance of XLS files to trusted, authenticated sources only, reducing the attack surface for unauthenticated file submission paths. Applications can sandbox or isolate the libxls parsing process (e.g., via a separate privilege-dropped subprocess or container) so that any leaked heap memory does not expose sensitive application data. Additionally, compiling libxls with -ftrivial-auto-var-init=zero (GCC/Clang) can mitigate uninitialized read risks at the cost of minor performance overhead. Organizations should also audit whether their libxls integration passes any sensitive data through heap allocations prior to XLS parsing calls, as that data could be inadvertently disclosed. Additional context is available via VulDB advisory at https://vuldb.com/vuln/368223.

More in Libxls

View all
CVE-2018-20452 HIGH POC
8.8 Dec 25

The read_MSAT_body function in ole.c in libxls 1.4.0 has an invalid free that allows attackers to cause a denial of serv

CVE-2023-38856 MEDIUM POC
6.5 Aug 15

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of

CVE-2023-38855 MEDIUM POC
6.5 Aug 15

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of

CVE-2023-38854 MEDIUM POC
6.5 Aug 15

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of

CVE-2023-38853 MEDIUM POC
6.5 Aug 15

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of

CVE-2023-38852 MEDIUM POC
6.5 Aug 15

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of

CVE-2023-38851 MEDIUM POC
6.5 Aug 15

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of

CVE-2018-20450 MEDIUM POC
6.5 Dec 25

The read_MSAT function in ole.c in libxls 1.4.0 has a double free that allows attackers to cause a denial of service (ap

CVE-2017-12111 HIGH
8.8 Nov 20

An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. Rated high severity (CVSS 8

CVE-2017-12110 HIGH
8.8 Nov 20

An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4.A specially crafted XLS

CVE-2017-2919 HIGH
7.8 Nov 20

An exploitable stack based buffer overflow vulnerability exists in the xls_getfcell function of libxls 1.3.4. Rated high

CVE-2017-2896 HIGH
7.8 Nov 20

An exploitable out-of-bounds write vulnerability exists in the xls_mergedCells function of libxls 1.4. Rated high severi

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-34179 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy