CVE-2026-26825

Vulnerability

A use-of-uninitialized memory vulnerability exists in libxls version 1.6.3 when parsing malformed XLS files. The issue is reachable via the xls_parseWorkBook() function and is triggered by uninitialized heap memory originating from the OLE layer's ole2_read() function, particularly when short reads or malformed OLE streams occur. This flaw can lead to undefined behavior or incorrect parsing logic [1].

Exploitation

An attacker can trigger this vulnerability by providing a malformed XLS file to the xls_open_buffer() function. The exploitation requires the libxls library to be built without memory sanitization, allowing the uninitialized heap memory to influence control or data flow during workbook parsing. The OLE parsing layer incorrectly assumes buffers are fully populated by ole2_read(), and downstream XLS parsing code trusts these potentially incomplete buffers [1].

Impact

Successful exploitation can result in undefined behavior during XLS parsing, incorrect workbook state, or logic errors. In non-instrumented builds, this may also lead to potential information disclosure if uninitialized memory contents are copied or serialized. The vulnerability increases the attack surface for downstream memory corruption issues [1].

Mitigation

Libxls version 1.6.3 is affected. A fix for this vulnerability is not yet disclosed in the available references. Users are advised to avoid parsing untrusted XLS files until a patched version is released [1].