The libxls library, used to parse Microsoft Excel files, has a use‑of‑uninitialized memory flaw in its OLE container parser. During the allocation of the Master Sector Allocation Table, memory is not fully initialized before being passed to the sector‑chain validation routine. This results in either a crash or the leakage of memory contents when the library processes a specially crafted XLS file. Such a failure can expose sensitive data or cause denial of service conditions in applications that depend on libxls for file reading.

This issue affects the libxls library up to version 1.6.3. The library is commonly integrated into applications that process Excel spreadsheets, such as data import tools, document conversion services, or other software that relies on XLS support. Users employing libxls versions 1.6.3 or older are potentially exposed, irrespective of vendor or distribution, as the vulnerability is within the open‑source library itself.

The vulnerability carries an EPSS score of 0.00018, indicating a very low but non‑zero probability of exploitation, and it is not listed in the CISA KEV catalog. The CVSS score of 6.5 indicates medium severity risk. However, the flaw’s attack vector is inferred to be an untrusted XLS file supplied to an application that uses libxls, which could be local or remote depending on the context. An adversary can craft a file that, when parsed, may trigger a crash or leak memory content, potentially serving as a denial of service or a source of sensitive data. Because memory is not fully initialized, the exact disclosed information could vary, but the impact remains significant for any application that processes untrusted spreadsheet files.