CVE-2026-26825
Use-of-Uninitialized Memory in libxls When Parsing XLS Files
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libxls | libxls | 1.6.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-of-uninitialized memory flaw in libxls version 1.6.3 that occurs when parsing malformed XLS files.
It happens during the workbook parsing process via the function xls_parseWorkBook(), where uninitialized heap memory from the OLE layer (ole2_read) is accessed.
The root cause is that the OLE parsing layer assumes buffers allocated by ole_malloc() are fully populated, but malformed or short OLE streams can leave parts of these buffers uninitialized.
Because there is no explicit zero-initialization or bounds checking, this uninitialized memory can influence control or data flow, leading to undefined behavior, incorrect parsing logic, or potential information disclosure.
How can this vulnerability impact me? :
The vulnerability can lead to several impacts including undefined behavior and incorrect parsing of XLS files.
More critically, it may cause potential information disclosure if uninitialized memory contents are copied or serialized during processing.
In practical terms, this means that sensitive or unintended data from memory could be exposed when handling crafted XLS files with the vulnerable libxls version.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using MemorySanitizer (MSAN) to analyze the libxls 1.6.3 library when it parses XLS files. Specifically, building libxls 1.6.3 with MemorySanitizer enabled and then parsing a crafted XLS file using the xls_open_buffer() function can reproduce the issue.
There are no explicit network detection commands provided, but detection involves instrumenting the libxls library with MemorySanitizer and running tests on XLS files to identify use-of-uninitialized memory.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in libxls 1.6.3 can lead to potential information disclosure due to use of uninitialized memory when parsing malformed XLS files. Such information disclosure risks could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data from unauthorized access or leaks.
However, the provided information does not explicitly describe the extent or nature of data exposure or how it directly affects compliance with these standards.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using libxls version 1.6.3 to parse untrusted or malformed XLS files until a patched version is available.
If possible, build libxls with MemorySanitizer (MSAN) enabled to detect uninitialized memory usage during testing and development.
Consider validating or sanitizing XLS files before parsing to reduce the risk of triggering the vulnerability.
Monitor the libxls project for updates or patches that address this issue and apply them promptly once released.