CVE Catalog

CVE-2026-26825

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Summary

A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer.

Risk Assessment

The vulnerability can lead to undefined behavior, incorrect parsing logic, or potential information disclosure, posing a threat to data security within the organization.

Recommendation

It is recommended to update the libxls library to the latest version to mitigate the risk associated with this vulnerability and to conduct a security audit of applications using this library.

Original NVD description (English source)

A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS