CVE-2026-3463
Heap-Based Buffer Overflow in xlnt Compound Document Parser
Publication date: 2026-03-03
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xlnt-community | xlnt | to 1.6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3463 is a heap-based buffer overflow vulnerability found in the xlnt library, specifically in the function xlnt::detail::binary_writer::append within the Compound Document Parser component.
The vulnerability occurs when parsing malformed Compound Document files, commonly used for encrypted XLSX files. The code allocates a fixed 512-byte buffer for a sector but attempts to write an additional 64 bytes immediately after this buffer without proper boundary checks, causing heap corruption.
This improper bounds checking or offset miscalculation leads to a heap-buffer-overflow (CWE-122), which can cause crashes or potential exploitation when processing specially crafted files.
The attack requires local access to the system and has been demonstrated with a minimal reproducer harness that triggers the overflow by loading a crafted XLSX file.
How can this vulnerability impact me? :
This vulnerability impacts the availability of the affected system by causing heap corruption through a buffer overflow.
Exploitation can lead to application crashes or denial of service when processing specially crafted encrypted XLSX files with malformed Compound Document structures.
Since the attack requires local access, an attacker must have local privileges to trigger the overflow.
The vulnerability does not directly affect confidentiality or integrity but can disrupt normal operation and availability of the software using the xlnt library.
A proof-of-concept exploit is publicly available, making it easier for attackers with local access to exploit this issue if unpatched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-3463 is a heap-based buffer overflow vulnerability found in the xlnt library, specifically in the function xlnt::detail::binary_writer::append within the Compound Document Parser component.
The vulnerability occurs because the code allocates a fixed 512-byte buffer for a sector (corresponding to the standard OLE sector size) but attempts to write an additional 64 bytes immediately after this buffer without proper boundary checks. This causes heap corruption.
This overflow happens during the parsing of the Master Sector Allocation Table (MSAT) in malformed Compound Document files, commonly used for encrypted XLSX files.
The issue arises from improper offset calculations or insufficient bounds checking when appending data to the sector buffer, leading to a write beyond the allocated memory.
The vulnerability can be triggered locally by processing specially crafted malformed files, and a proof-of-concept exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability impacts the availability of the affected system by causing heap corruption, which can lead to application crashes or denial of service.
Since the overflow is heap-based, it may also be leveraged for further exploitation, although the CVE details indicate it does not directly affect confidentiality or integrity.
Exploitation requires local access, meaning an attacker must have local privileges to trigger the overflow.
The attack is considered easy to perform, and an exploit is publicly available, increasing the risk to users running vulnerable versions (up to 1.6.1) of the xlnt library.
Applying the provided patch (patch 147) is recommended to mitigate this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a heap-based buffer overflow occurring locally during the parsing of malformed Compound Document files in the xlnt library. Detection involves triggering the vulnerable code path, typically by loading a specially crafted XLSX file that causes the overflow.
Detection was performed using AddressSanitizer (ASAN) on a Linux x86_64 system compiled with Clang in Release mode with ASAN enabled. ASAN reported a write of 64 bytes immediately after a 512-byte allocated buffer, confirming the heap-buffer-overflow.
A minimal reproducer harness is available which loads a file using the function `xlnt::workbook::load` and iterates over cells, triggering the overflow when processing a crafted malformed file.
Suggested detection approach includes running the vulnerable xlnt library with ASAN enabled and loading suspicious or malformed XLSX files to observe heap-buffer-overflow errors.
No specific network commands are applicable since the attack requires local execution and is triggered by file parsing.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the patch released by the xlnt-community, identified as patch 147, which addresses the heap-buffer-overflow by implementing proper bounds checking and memory safety improvements.
Users of xlnt versions up to 1.6.1 should upgrade to a patched version that includes these fixes.
Avoid processing untrusted or malformed XLSX files with vulnerable versions of the xlnt library until the patch is applied.
Review and apply the improvements from the pull request #147 on the official xlnt GitHub repository, which includes enhanced memory safety, exception handling, and compliance with the MS-CFB specification.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using AddressSanitizer (ASAN) during the execution of the xlnt library, specifically when loading or parsing XLSX files that may be malformed or crafted to trigger the heap-based buffer overflow.
A minimal reproducer harness is available that loads a file using the function `xlnt::workbook::load` and iterates over cells, which triggers the overflow when processing a crafted malformed file.
Detection involves running the vulnerable xlnt code with ASAN enabled on a Linux x86_64 system compiled with Clang in Release mode. ASAN reports a write of 64 bytes immediately after a 512-byte allocated buffer, indicating a heap-buffer-overflow.
Suggested commands include compiling the xlnt library with ASAN enabled and running the test harness or your application that uses xlnt to load XLSX files, for example:
- Compile with ASAN: `clang++ -fsanitize=address -g -O2 -o test_xlnt test_xlnt.cpp`
- Run the test harness or application: `./test_xlnt`
- Monitor ASAN output for heap-buffer-overflow errors indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to apply the official patch (patch 147) released by the xlnt-community to fix the heap-based buffer overflow vulnerability.
This patch includes memory safety enhancements, proper bounds checking, and compliance improvements with the Microsoft Compound File Binary specification to prevent heap corruption.
Users of xlnt versions up to 1.6.1 should upgrade to the patched version or apply the patch from the official GitHub repository.
Since the exploit requires local access, restricting local user privileges and monitoring for suspicious local activity can also help reduce risk.