{"id":"CVE-2026-26825","details":"A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure.","modified":"2026-07-08T07:32:27.699130069Z","published":"2026-06-03T00:00:00Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26825.json","cna_assigner":"mitre"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26825.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26825"},{"type":"REPORT","url":"https://github.com/libxls/libxls/issues/156"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libxls/libxls","events":[{"introduced":"c199d132494833da696b58aa4acf3fc5a36d930b"},{"last_affected":"c199d132494833da696b58aa4acf3fc5a36d930b"}],"database_specific":{"source":"CPE_STRING","cpe":"cpe:2.3:a:libxls_project:libxls:1.6.3:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.6.3"},{"last_affected":"1.6.3"}]}}],"versions":["1.6.3","v1.6.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26825.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}