CVE-2026-26825

Source
https://cve.org/CVERecord?id=CVE-2026-26825
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26825.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26825
Downstream
Published
2026-06-03T00:00:00Z
Modified
2026-07-08T07:32:27.699130069Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xlsparseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26825.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/libxls/libxls

Affected ranges

Type
GIT
Repo
https://github.com/libxls/libxls
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:libxls_project:libxls:1.6.3:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.6.3"
        },
        {
            "last_affected": "1.6.3"
        }
    ]
}

Affected versions

1.*
1.6.3
v1.*
v1.6.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26825.json"