Description
A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑of‑uninitialized memory flaw exists in libxls 1.6.3 when it parses malformed XLS files via xls_parseWorkBook(). The bug originates from uninitialized heap memory produced by the OLE layer ole2_read and can cause undefined behavior, incorrect parsing logic, or potentially leak sensitive information. The vulnerability is detectable with MemorySanitizer and can lead to application crashes or data exposure if left unaddressed.

Affected Systems

The affected product is the libxls open‑source library, specifically version 1.6.3. No other vendor or product variants are listed. Systems that embed libxls 1.6.3 and process XLS files from untrusted sources are potentially impacted.

Risk and Exploitability

No CVSS score or EPSS value is available for this entry, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggered by malformed input files parsed by the library, the likely attack vector is local or remote delivery of a crafted XLS file to an application that utilizes libxls. While the absence of exploitation metrics makes a precise risk assessment difficult, the possibility of information disclosure and unstable parsing logic warrants precautionary measures.

Generated by OpenCVE AI on June 3, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libxls to a fixed version (e.g., 1.6.4 or later) that resolves the uninitialized memory issue.
  • If an update cannot be applied immediately, restrict the use of libxls to validated, trusted Excel files and perform strict input validation before parsing.
  • Run vulnerable applications in a sandboxed or isolated environment to contain potential crashes or leaks resulting from malformed files.

Generated by OpenCVE AI on June 3, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Uninitialized Memory Use in libxls 1.6.3 Leads to Undefined Behavior and Possible Information Disclosure
Weaknesses CWE-758

Wed, 03 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T20:01:10.984Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26825

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T20:16:18.797

Modified: 2026-06-03T20:16:18.797

Link: CVE-2026-26825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T21:30:32Z

Weaknesses