CVE-2026-3663
Received Received - Intake
Out-of-Bounds Read in xlnt XLSX Parser (Local Access

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been made public and could be used. The patch is named 147. It is recommended to apply a patch to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3663
EUVD
EUVD-2026-10155
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xlnt-community xlnt to 1.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3663 is a heap-based buffer overflow vulnerability (out-of-bounds read) in the xlnt library, specifically in the function xlnt::detail::compound_document_istreambuf::xsgetn within the XLSX File Parser component.

The vulnerability occurs when parsing encrypted XLSX files, particularly during the reading of Agile Encryption information. The function reads data from a fragmented stream stored in an OLE container, where the stream sectors are tracked by a vector. Due to improper handling of the end-of-chain condition, the function reads beyond the allocated buffer, causing an out-of-bounds memory access.

This out-of-bounds read can lead to application crashes or potentially allow attackers to read sensitive memory, resulting in denial of service or information disclosure.

Impact Analysis

The vulnerability can cause crashes of applications using the xlnt library when processing specially crafted encrypted XLSX files, leading to denial of service.

Additionally, the out-of-bounds read may allow attackers with local access to read sensitive memory, potentially leading to information disclosure.

Exploitation requires local access and is considered easy to perform, with proof-of-concept exploits publicly available.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability occurs during the processing of encrypted XLSX files by the xlnt library, specifically in the function xlnt::detail::compound_document_istreambuf::xsgetn. Detection involves monitoring for crashes or abnormal behavior when loading or parsing encrypted XLSX files locally.'}, {'type': 'paragraph', 'content': 'Since the exploit requires local access and triggers out-of-bounds reads causing crashes, one way to detect it is by running the xlnt library with AddressSanitizer (ASAN) enabled to catch heap-buffer-overflow errors.'}, {'type': 'paragraph', 'content': "A minimal test harness can be used to load XLSX files using xlnt's API and observe if crashes or ASAN reports occur when processing encrypted files."}, {'type': 'paragraph', 'content': 'No specific network detection commands are applicable because the attack vector is local execution only.'}] [2, 3, 4]

Mitigation Strategies

The primary mitigation step is to apply the official patch (patch 147) provided by the xlnt-community to fix the vulnerability in the xlnt library.

Users of xlnt versions up to 1.6.1 should promptly update to a patched version that includes this fix.

Since exploitation requires local access, restricting local access to trusted users and environments can reduce risk.

Avoid processing untrusted or specially crafted encrypted XLSX files with vulnerable versions of the xlnt library until patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart