Source: r-cran-readxl X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for libxls, which is part of r-cran-readxl: CVE-2026-26824[0]: | libxls through version 1.6.3 contains a use of uninitialized memory | vulnerability in the OLE container parser. Memory allocated for the | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully | initialized before being consumed by ole2_validate_sector_chain(), | which may result in application crashes or potential information | disclosure when processing a crafted XLS file https://github.com/libxls/libxls/issues/156 CVE-2026-26825[1]: | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 | when parsing malformed XLS files. The issue is reachable via | xls_parseWorkBook() and is triggered by uninitialized heap memory | originating from the OLE layer (ole2_read). The flaw is detectable | with MemorySanitizer (MSAN) and can lead to undefined behavior, | incorrect parsing logic, or potential information disclosure. https://github.com/libxls/libxls/issues/155 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-26824 https://www.cve.org/CVERecord?id=CVE-2026-26824 [1] https://security-tracker.debian.org/tracker/CVE-2026-26825 https://www.cve.org/CVERecord?id=CVE-2026-26825 Please adjust the affected versions in the BTS as needed.
