CVE-2026-59162 in excelizeinfo

Summary

by MITRE • 07/10/2026

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and panic when read through GetCellValue or GetRows. This issue is fixed in version 2.11.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in Excelize library represents a critical buffer underflow condition that can lead to application termination and denial of service. This flaw exists in the shared string parsing mechanism where the library uses strconv.Atoi to convert cell values into integers without proper validation of the resulting integer range. The specific issue occurs when processing XLSX files containing shared-string cells with negative values such as -1, which directly translates to invalid array indexing operations that can cause program crashes.

The technical implementation of this vulnerability stems from improper input validation within the Excelize library's internal parsing routines. When GetCellValue or GetRows functions encounter shared-string references in XLSX files, they execute a conversion process through strconv.Atoi that does not account for negative integer values. The resulting negative integer is then used directly as an array index without range checking against the shared string slice boundaries, creating an exploitable condition where the indexing operation accesses memory locations outside the valid array bounds.

This vulnerability operates at the intersection of multiple cybersecurity domains including software security and application robustness. From a CWE perspective, this represents a classic buffer underflow issue classified under CWE-129, which deals with inadequate bounds checking on string or buffer operations. The flaw also aligns with ATT&CK tactics related to privilege escalation and denial of service through application instability, as malicious actors could potentially craft specially formatted XLSX files to crash applications using the library.

The operational impact of this vulnerability extends beyond simple application crashes to encompass broader system stability concerns for any software utilizing Excelize for spreadsheet processing. Applications that process user-uploaded Excel files become particularly vulnerable since they may not expect or properly handle malformed shared string references, potentially leading to service disruption and potential data loss scenarios when encountering crafted malicious spreadsheets.

Mitigation strategies for this vulnerability require immediate version updates to Excelize 2.11.0 or later, which implements proper bounds checking for shared string indexing operations. Additionally, developers should implement defensive programming practices including input validation for all external data sources, particularly when dealing with integer conversions that will be used as array indices. Organizations should also establish robust testing procedures including fuzzing of spreadsheet parsing functions to identify similar boundary condition vulnerabilities in their software dependencies and implement proper error handling mechanisms that prevent application crashes from unhandled exceptions.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!