Cyber Resilience

CVE-2026-3463

MediumPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3463 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Xlnt-Community Xlnt. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3463 is a heap-based buffer overflow vulnerability affecting xlnt-community xlnt library versions up to 1.6.1. The flaw resides in the xlnt::detail::binary_writer::append function within the source/detail/binary.hpp file of the Compound Document Parser component. Published on 2026-03-03, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow), earning a CVSS v3.1 base score of 3.3.

The vulnerability requires local access (AV:L) with low privileges (PR:L) and low complexity (AC:L), with no user interaction needed (UI:N) and no impact on scope (S:U). An attacker can trigger the buffer overflow to cause a limited denial of service (A:L), with no effects on confidentiality (C:N) or integrity (I:N).

Advisories recommend applying the patch available in pull request #147 on the xlnt-community/xlnt GitHub repository. Details on the issue, including discussion and reproduction steps, are documented in GitHub issue #138 and related comments.

A public proof-of-concept exploit is available at https://github.com/oneafter/0128/blob/main/xl2/repro, which could facilitate attacks on unpatched systems.

EU & UK References

Vulnerability details

A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The…

more

exploit has been made available to the public and could be used for attacks. Patch name: 147. It is suggested to install a patch to address this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap buffer overflow in local document parser library directly enables application crash/DoS via exploitation (T1499.004); no RCE, priv-esc, or other impacts described.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3663Same product: Xlnt-Community Xlnt
CVE-2026-3393Shared CWE-119, CWE-122
CVE-2026-2661Shared CWE-119, CWE-122
CVE-2025-32990Shared CWE-122
CVE-2024-52923Shared CWE-119
CVE-2026-28842Shared CWE-122
CVE-2026-2522Shared CWE-119
CVE-2026-28944Shared CWE-119
CVE-2026-28953Shared CWE-119
CVE-2025-0755Shared CWE-122

Affected Assets

xlnt-community
xlnt
≤ 1.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (PR #147) that removes the heap buffer overflow in binary_writer::append.

prevent

Enforces memory-protection mechanisms (ASLR, guard pages, safe allocators) that block exploitation of the CWE-122 flaw even if the vulnerable parser is reached.

prevent

Requires validation of all input supplied to the Compound Document Parser, preventing malformed data from reaching the unchecked append operation.

References