CVE-2026-26825
MEDIUM EPSS 11.7%
Published Jun 3, 20264w ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Published Jun 3, 2026 4w ago
Last Modified Jun 17, 2026 2w ago
Description
A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
11.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-908
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| libxls_project | libxls | 1.6.3 | any |
References 1
- github.com https://github.com/libxls/libxls/issues/156
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.