Executive Summary

CVE-2026-3664 is an out-of-bounds read vulnerability in the xlnt library, specifically in the function xlnt::detail::compound_document::read_directory. This function parses the directory structure of encrypted XLSX files using the OLE Compound Document format. The vulnerability arises because the function reads directory entry indices directly from the file without proper validation. If a malicious or corrupted XLSX file contains invalid or excessively large indices, the function accesses memory outside the valid bounds, causing a segmentation fault or crash.

This issue is classified under CWE-125 (Out-of-bounds Read) and CWE-129 (Improper Validation of Array Index). The vulnerability can be triggered by loading a crafted XLSX file locally, leading to a crash due to invalid memory access.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can cause applications using the xlnt library to crash or experience undefined behavior when processing specially crafted encrypted XLSX files. This leads to a denial of service condition due to segmentation faults triggered by out-of-bounds memory reads.

Since the attack vector is local, an attacker must have local access to exploit this vulnerability. Exploitation is considered easy, and proof-of-concept exploits are publicly available.

Overall, the impact is primarily on system availability and stability, potentially disrupting services or applications that rely on the xlnt library for handling encrypted XLSX files.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability manifests as a segmentation fault caused by an out-of-bounds read when parsing a malicious or corrupted encrypted XLSX file using the xlnt library. Detection involves identifying crashes or segmentation faults in applications that use xlnt to load XLSX files, especially when processing encrypted files.

Since the attack vector is local and triggered by loading a crafted XLSX file, detection can be performed by monitoring application logs for crashes or by running test loads of suspicious XLSX files in a controlled environment.

Suggested commands to detect the vulnerability include running the application or test harness with AddressSanitizer (ASAN) enabled to catch invalid memory accesses. For example, on Linux with Clang and ASAN enabled, you can run:

• clang++ -fsanitize=address -g -O1 your_test_program.cpp -o test_program
• ./test_program malicious_file.xlsx

Monitoring system logs (e.g., dmesg or journalctl) for segmentation faults related to the application loading XLSX files can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the official patch (patch 147) released by the xlnt-community to fix the out-of-bounds read vulnerability in the xlnt library versions up to 1.6.1.

If immediate patching is not possible, restrict local access to systems running vulnerable versions of xlnt to prevent exploitation, as the attack requires local execution.

Additionally, avoid opening or processing untrusted or suspicious encrypted XLSX files with affected versions of the xlnt library.

Monitoring for crashes or abnormal behavior in applications using xlnt can help detect exploitation attempts until the patch is applied.

Useful 0 Not Useful 0