CVE-2026-59161 in excelize
Summary
by MITRE • 07/10/2026
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the streaming worksheet reader used by Rows and GetRows does not enforce the TotalRows limit on the row r attribute, allowing a small XLSX file with a row number above 1048576 and no cell coordinate to make GetRows append empty rows up to the attacker-controlled index and consume excessive memory and CPU. This issue is fixed in version 2.11.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in Excelize library affects the streaming worksheet reader functionality that processes Excel files through Rows and GetRows methods. This flaw stems from inadequate validation of the TotalRows limit imposed on row attributes within XLSX file structures. The technical implementation fails to properly constrain the r attribute which represents row numbers in spreadsheet formats, allowing maliciously crafted files to specify row indices exceeding the standard Excel row limit of 1048576. When the library processes these malformed files, it continues appending empty rows up to the attacker-controlled index rather than rejecting or truncating the invalid row references at the boundary.
The operational impact of this vulnerability manifests as excessive resource consumption through memory allocation and CPU processing cycles. An attacker can craft a small XLSX file containing a single row with an r attribute set to a value above 1048576 but without any actual cell coordinates, causing the GetRows function to allocate memory for empty rows up to that specified index. This behavior results in significant memory bloat and processing overhead as the library attempts to maintain data structures for rows that exceed normal spreadsheet boundaries. The vulnerability creates a denial of service scenario where legitimate applications using Excelize may become unresponsive or consume excessive system resources when processing these specially crafted files.
This issue represents a classic example of insufficient input validation and boundary checking, aligning with CWE-129 Input Validation and CWE-704 Incorrect Calculation of Buffer Size. The vulnerability also maps to ATT&CK technique T1499.004 for resource consumption attacks where adversaries exploit software flaws to consume system resources. The fix implemented in version 2.11.0 addresses the core problem by enforcing proper validation of row attributes against established Excel format limits, ensuring that the streaming reader respects the maximum allowable row count and prevents excessive memory allocation beyond standard spreadsheet boundaries. This remediation follows security best practices for preventing denial of service conditions in file processing libraries and demonstrates the importance of robust input sanitization in parsing operations.