CVE-2026-26825
Modified Modified - Updated After Analysis
Use-of-Uninitialized Memory in libxls When Parsing XLS Files

Publication date: 2026-06-03

Last updated on: 2026-06-08

Assigner: MITRE

Description
A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-08
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-26825
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libxls_project libxls 1.6.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-of-uninitialized memory flaw in libxls version 1.6.3 that occurs when parsing malformed XLS files.

It happens during the workbook parsing process via the function xls_parseWorkBook(), where uninitialized heap memory from the OLE layer (ole2_read) is accessed.

The root cause is that the OLE parsing layer assumes buffers allocated by ole_malloc() are fully populated, but malformed or short OLE streams can leave parts of these buffers uninitialized.

Because there is no explicit zero-initialization or bounds checking, this uninitialized memory can influence control or data flow, leading to undefined behavior, incorrect parsing logic, or potential information disclosure.

Impact Analysis

The vulnerability can lead to several impacts including undefined behavior and incorrect parsing of XLS files.

More critically, it may cause potential information disclosure if uninitialized memory contents are copied or serialized during processing.

In practical terms, this means that sensitive or unintended data from memory could be exposed when handling crafted XLS files with the vulnerable libxls version.

Detection Guidance

This vulnerability can be detected by using MemorySanitizer (MSAN) to analyze the libxls 1.6.3 library when it parses XLS files. Specifically, building libxls 1.6.3 with MemorySanitizer enabled and then parsing a crafted XLS file using the xls_open_buffer() function can reproduce the issue.

There are no explicit network detection commands provided, but detection involves instrumenting the libxls library with MemorySanitizer and running tests on XLS files to identify use-of-uninitialized memory.

Compliance Impact

The vulnerability in libxls 1.6.3 can lead to potential information disclosure due to use of uninitialized memory when parsing malformed XLS files. Such information disclosure risks could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data from unauthorized access or leaks.

However, the provided information does not explicitly describe the extent or nature of data exposure or how it directly affects compliance with these standards.

Mitigation Strategies

To mitigate this vulnerability, avoid using libxls version 1.6.3 to parse untrusted or malformed XLS files until a patched version is available.

If possible, build libxls with MemorySanitizer (MSAN) enabled to detect uninitialized memory usage during testing and development.

Consider validating or sanitizing XLS files before parsing to reduce the risk of triggering the vulnerability.

Monitor the libxls project for updates or patches that address this issue and apply them promptly once released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26825. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart