CVE-2017-12626 in Retail Sales Audit
Summary
by MITRE
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/29/2026
Apache POI versions prior to 3.17 contain critical denial of service vulnerabilities that can be exploited through maliciously crafted office documents and graphics files. These vulnerabilities stem from insufficient input validation and inadequate loop bounds checking within the parsing routines for various file formats including WMF, EMF, MSG, DOC, PPT, and XLS formats. The flaws manifest as infinite loops during the processing of specially crafted embedded graphics and macro content, allowing attackers to consume excessive CPU resources and potentially cause system instability. Additionally, memory allocation issues occur when processing malformed DOC, PPT, and XLS files, leading to out of memory exceptions that can exhaust available system resources and cause application crashes. These vulnerabilities directly relate to CWE-835 which addresses infinite loops in software, and CWE-770 which covers allocation of resources without limits or proper checks. The attack surface is broad as Apache POI is widely used for processing office documents across various applications and platforms, making these flaws particularly dangerous in enterprise environments where document processing is common. From an operational perspective, these vulnerabilities can be exploited through simple file uploads or document processing workflows, requiring minimal privileges and presenting a significant risk to system availability. The infinite loop conditions can be triggered by parsing maliciously crafted graphics files, while memory exhaustion occurs when processing specially constructed office documents that contain oversized or malformed data structures. These issues align with ATT&CK technique T1499 which covers network denial of service attacks and T1059 which involves command and scripting interpreters that may be used to exploit these vulnerabilities. The impact extends beyond simple service disruption as these vulnerabilities can affect applications that rely on Apache POI for document processing, potentially leading to cascading failures in document management systems, email servers, and content management platforms. Organizations should immediately upgrade to Apache POI version 3.17 or later to mitigate these risks, as the fixes include proper input validation, loop termination checks, and memory allocation limits that prevent the exploitation of these conditions. Security teams should also implement file validation procedures and sandboxing measures to limit the impact of any potential exploitation attempts while awaiting the upgrade process.