CVE-2026-26824
Use of Uninitialized Memory in libxls OLE Parser
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libxls | libxls | 1.6.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26824 is a vulnerability in libxls version 1.6.3 where the library uses uninitialized memory during the parsing of OLE container files, specifically XLS files.
The problem occurs because the memory allocated for the Master Sector Allocation Table (MSAT) in the function read_MSAT() is not fully initialized before it is processed by ole2_validate_sector_chain().
This incomplete initialization can lead to undefined behavior such as application crashes or potential information disclosure when processing specially crafted XLS files.
How can this vulnerability impact me? :
This vulnerability can impact you by causing applications that use libxls to parse XLS files to crash or behave unpredictably.
Additionally, it may lead to potential information disclosure through heap memory residue, meaning sensitive data could be exposed when processing maliciously crafted XLS files.
The vulnerability could also be exploited to cause denial of service by triggering memory errors during file parsing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for MemorySanitizer aborts when parsing XLS files using libxls. Specifically, applications using libxls to parse XLS data may trigger a MemorySanitizer abort if they process crafted XLS files that exploit the uninitialized memory in the OLE container parser.
A practical approach to detection is to run the vulnerable application or library with MemorySanitizer enabled and attempt to open or parse XLS files, especially untrusted or suspicious ones, using the function `xls_open_buffer()`.
There are no explicit command-line commands provided, but using tools like MemorySanitizer with debugging or testing environments to parse XLS files can help identify the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in libxls may lead to potential information disclosure when processing crafted XLS files due to use of uninitialized memory. Such information disclosure risks could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information from unauthorized access or leaks.
Applications using libxls to parse XLS data might inadvertently expose sensitive data through this vulnerability, thereby increasing the risk of non-compliance with these standards that mandate strict controls on data confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in libxls version 1.6.3, avoid processing untrusted or crafted XLS files using libxls until a patched version is available.
Monitor the libxls project for updates or patches that address the uninitialized memory usage in the read_MSAT() function.
If possible, apply memory sanitization tools or runtime checks to detect and prevent exploitation when parsing XLS files.