CVE-2026-59161
Undergoing Analysis Undergoing Analysis - In Progress

Memory Exhaustion in Excelize via Malformed XLSX

Vulnerability report for CVE-2026-59161, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the streaming worksheet reader used by Rows and GetRows does not enforce the TotalRows limit on the row r attribute, allowing a small XLSX file with a row number above 1048576 and no cell coordinate to make GetRows append empty rows up to the attacker-controlled index and consume excessive memory and CPU. This issue is fixed in version 2.11.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
excelize excelize to 2.11.0 (exc)
qax-os excelize to 2.11.0 (exc)
qax-os excelize 2.11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59161 is a vulnerability in the Excelize Go library used for reading and writing Microsoft Excel spreadsheets. The issue exists in versions up to 2.10.1 where the streaming worksheet reader, used by functions like GetRows and Rows, does not enforce the maximum allowed row number limit (1,048,576).

An attacker can craft a malicious XLSX file with a row number exceeding this limit and without a cell coordinate, causing the GetRows function to append empty rows up to the attacker-controlled row index. This leads to excessive memory and CPU consumption because the program allocates resources proportional to the large row number.

For example, a row attribute with r="2000000" causes the program to allocate a slice of length 2,000,000 and about 46 MB of memory, which can degrade system performance or cause denial of service.

Compliance Impact

The vulnerability in Excelize (CVE-2026-59161) allows an attacker to cause uncontrolled resource consumption by bypassing row-bound checks, leading to excessive memory and CPU usage. This is primarily an availability issue related to resource exhaustion.

There is no direct information in the provided resources linking this vulnerability to compliance impacts with common standards and regulations such as GDPR or HIPAA.

However, uncontrolled resource consumption vulnerabilities can indirectly affect compliance by causing denial of service or system instability, which may impact availability requirements under certain regulations.

Impact Analysis

This vulnerability can lead to uncontrolled resource consumption, specifically excessive memory and CPU usage, when processing maliciously crafted Excel files.

Such resource exhaustion can degrade the performance of applications using the Excelize library, potentially causing slowdowns, crashes, or denial of service conditions.

If your system or application processes untrusted XLSX files using vulnerable versions of Excelize, it could be exploited by attackers to disrupt service availability.

Detection Guidance

This vulnerability involves the Excelize library's streaming worksheet reader not enforcing row number limits, which can lead to excessive memory and CPU consumption when processing malicious XLSX files.

To detect exploitation attempts on your system, monitor for unusually high memory or CPU usage by applications using the Excelize library when processing XLSX files.

You can also inspect XLSX files for rows with row numbers exceeding the Excel maximum (1,048,576) without cell coordinates, which are indicators of crafted malicious files.

Suggested commands to help detect potential exploitation include:

  • Use system monitoring tools like `top` or `htop` on Linux to observe processes consuming excessive CPU or memory.
  • Use `lsof` or similar tools to identify which files are opened by processes consuming resources.
  • Extract and inspect XLSX files (which are ZIP archives) using `unzip -l file.xlsx` and then examine the worksheet XML files for suspicious row attributes with commands like `unzip -p file.xlsx xl/worksheets/sheet1.xml | grep 'r="[0-9]\{7,\}"'` to find row numbers exceeding 1,048,576.
Mitigation Strategies

The primary mitigation is to upgrade the Excelize library to version 2.11.0 or later, where the streaming worksheet reader enforces the TotalRows limit and prevents this uncontrolled resource consumption.

If upgrading is not immediately possible, consider implementing input validation to reject XLSX files with row numbers exceeding the maximum allowed (1,048,576) before processing.

Additionally, monitor resource usage of applications using Excelize and limit resource allocation where possible to reduce the impact of potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59161. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart