Description
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
Published: 2026-04-16
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure and ASLR Bypass
Action: Patch
AI Analysis

Impact

The vulnerability is an untrusted pointer dereference that occurs during XLS processing and conversion in ONLYOFFICE DocumentServer. This flaw allows attackers to read memory contents (information leak) and bypass Address Space Layout Randomization, potentially aiding further exploitation. It is a classic memory safety error marked as CWE‑125.

Affected Systems

VERSIONS PRIOR TO 9.3.0 of Ascensio ONLYOFFICE DocumentServer are affected. The issue is present in the document conversion component handling XLS files.

Risk and Exploitability

The CVSS score of 5 denotes moderate severity, while the lack of an EPSS score means current exploitation probability is unknown. The weakness does not require local privilege escalation; an attacker only needs to supply a crafted XLS file to the server. Because the flaw can subvert ASLR, attackers that discover it may combine it with other remote exploits. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 16, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ONLYOFFICE DocumentServer to 9.3.0 or later.
  • If an upgrade is not immediately possible, block or disable XLS file uploads or the conversion feature to prevent exploitation.
  • Implement input validation for XLS files and perform strict bounds checking to eliminate untrusted pointer dereferences, following secure coding practices.

Generated by OpenCVE AI on April 16, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title Untrusted Pointer Dereference in ONLYOFFICE DocumentServer XLS Processing Causes Information Leak and ASLR Bypass
First Time appeared Onlyoffice
Onlyoffice document Server
Vendors & Products Onlyoffice
Onlyoffice document Server

Thu, 16 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Description ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Onlyoffice Document Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T12:31:05.251Z

Reserved: 2026-04-16T06:06:44.178Z

Link: CVE-2026-41034

cve-icon Vulnrichment

Updated: 2026-04-16T12:20:09.120Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T07:16:30.843

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-41034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses