CVE-2026-3463
Published: 03 March 2026
Summary
CVE-2026-3463 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Xlnt-Community Xlnt. Its CVSS base score is 3.3 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in local document parser library directly enables application crash/DoS via exploitation (T1499.004); no RCE, priv-esc, or other impacts described.
NVD Description
A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The…
more
exploit has been made available to the public and could be used for attacks. Patch name: 147. It is suggested to install a patch to address this issue.
Deeper analysisAI
CVE-2026-3463 is a heap-based buffer overflow vulnerability affecting xlnt-community xlnt library versions up to 1.6.1. The flaw resides in the xlnt::detail::binary_writer::append function within the source/detail/binary.hpp file of the Compound Document Parser component. Published on 2026-03-03, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow), earning a CVSS v3.1 base score of 3.3.
The vulnerability requires local access (AV:L) with low privileges (PR:L) and low complexity (AC:L), with no user interaction needed (UI:N) and no impact on scope (S:U). An attacker can trigger the buffer overflow to cause a limited denial of service (A:L), with no effects on confidentiality (C:N) or integrity (I:N).
Advisories recommend applying the patch available in pull request #147 on the xlnt-community/xlnt GitHub repository. Details on the issue, including discussion and reproduction steps, are documented in GitHub issue #138 and related comments.
A public proof-of-concept exploit is available at https://github.com/oneafter/0128/blob/main/xl2/repro, which could facilitate attacks on unpatched systems.
Details
- CWE(s)