CVE-2026-3663
Out-of-Bounds Read in xlnt XLSX Parser (Local Access
Publication date: 2026-03-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xlnt-community | xlnt | to 1.6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3663 is a heap-based buffer overflow vulnerability (out-of-bounds read) in the xlnt library, specifically in the function xlnt::detail::compound_document_istreambuf::xsgetn within the XLSX File Parser component.
The vulnerability occurs when parsing encrypted XLSX files, particularly during the reading of Agile Encryption information. The function reads data from a fragmented stream stored in an OLE container, where the stream sectors are tracked by a vector. Due to improper handling of the end-of-chain condition, the function reads beyond the allocated buffer, causing an out-of-bounds memory access.
This out-of-bounds read can lead to application crashes or potentially allow attackers to read sensitive memory, resulting in denial of service or information disclosure.
How can this vulnerability impact me? :
The vulnerability can cause crashes of applications using the xlnt library when processing specially crafted encrypted XLSX files, leading to denial of service.
Additionally, the out-of-bounds read may allow attackers with local access to read sensitive memory, potentially leading to information disclosure.
Exploitation requires local access and is considered easy to perform, with proof-of-concept exploits publicly available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability occurs during the processing of encrypted XLSX files by the xlnt library, specifically in the function xlnt::detail::compound_document_istreambuf::xsgetn. Detection involves monitoring for crashes or abnormal behavior when loading or parsing encrypted XLSX files locally.'}, {'type': 'paragraph', 'content': 'Since the exploit requires local access and triggers out-of-bounds reads causing crashes, one way to detect it is by running the xlnt library with AddressSanitizer (ASAN) enabled to catch heap-buffer-overflow errors.'}, {'type': 'paragraph', 'content': "A minimal test harness can be used to load XLSX files using xlnt's API and observe if crashes or ASAN reports occur when processing encrypted files."}, {'type': 'paragraph', 'content': 'No specific network detection commands are applicable because the attack vector is local execution only.'}] [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch (patch 147) provided by the xlnt-community to fix the vulnerability in the xlnt library.
Users of xlnt versions up to 1.6.1 should promptly update to a patched version that includes this fix.
Since exploitation requires local access, restricting local access to trusted users and environments can reduce risk.
Avoid processing untrusted or specially crafted encrypted XLSX files with vulnerable versions of the xlnt library until patched.