CVE-2026-26825 in libxlsinfo

Summary

by MITRE • 06/03/2026

A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

MITRE

Reservation

02/16/2026

Disclosure

06/03/2026

Moderation

accepted

Entry

VDB-368223

CPE

ready

CWE

CWE-824 (confirmed)

CVSS

5.5 (VulDB)

EPSS

0.00021

KEV

Activities

low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-26825
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-26825
CVE Details	https://www.cvedetails.com/cve/CVE-2026-26825/

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!