Vulnerability Details CVE-2026-26824
libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not fully initialized before being consumed by ole2_validate_sector_chain(), which may result in application crashes or potential information disclosure when processing a crafted XLS file
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.0%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-26824
-
cpe:2.3:a:libxls_project:libxls:-
-
cpe:2.3:a:libxls_project:libxls:0.2.0
-
cpe:2.3:a:libxls_project:libxls:0.3.0
-
cpe:2.3:a:libxls_project:libxls:1.0.0
-
cpe:2.3:a:libxls_project:libxls:1.1.0
-
cpe:2.3:a:libxls_project:libxls:1.2.0
-
cpe:2.3:a:libxls_project:libxls:1.2.1
-
cpe:2.3:a:libxls_project:libxls:1.3.0
-
cpe:2.3:a:libxls_project:libxls:1.3.1
-
cpe:2.3:a:libxls_project:libxls:1.3.2
-
cpe:2.3:a:libxls_project:libxls:1.3.3
-
cpe:2.3:a:libxls_project:libxls:1.3.4
-
cpe:2.3:a:libxls_project:libxls:1.4.0
-
cpe:2.3:a:libxls_project:libxls:1.5.0
-
cpe:2.3:a:libxls_project:libxls:1.5.1
-
cpe:2.3:a:libxls_project:libxls:1.5.2
-
cpe:2.3:a:libxls_project:libxls:1.5.3
-
cpe:2.3:a:libxls_project:libxls:1.6.0
-
cpe:2.3:a:libxls_project:libxls:1.6.1
-
cpe:2.3:a:libxls_project:libxls:1.6.2