CVE-2026-3463
Published: 03 March 2026
Summary
CVE-2026-3463 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Xlnt-Community Xlnt. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3463 is a heap-based buffer overflow vulnerability affecting xlnt-community xlnt library versions up to 1.6.1. The flaw resides in the xlnt::detail::binary_writer::append function within the source/detail/binary.hpp file of the Compound Document Parser component. Published on 2026-03-03, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow), earning a CVSS v3.1 base score of 3.3.
The vulnerability requires local access (AV:L) with low privileges (PR:L) and low complexity (AC:L), with no user interaction needed (UI:N) and no impact on scope (S:U). An attacker can trigger the buffer overflow to cause a limited denial of service (A:L), with no effects on confidentiality (C:N) or integrity (I:N).
Advisories recommend applying the patch available in pull request #147 on the xlnt-community/xlnt GitHub repository. Details on the issue, including discussion and reproduction steps, are documented in GitHub issue #138 and related comments.
A public proof-of-concept exploit is available at https://github.com/oneafter/0128/blob/main/xl2/repro, which could facilitate attacks on unpatched systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9285
Vulnerability details
A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The…
more
exploit has been made available to the public and could be used for attacks. Patch name: 147. It is suggested to install a patch to address this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in local document parser library directly enables application crash/DoS via exploitation (T1499.004); no RCE, priv-esc, or other impacts described.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (PR #147) that removes the heap buffer overflow in binary_writer::append.
Enforces memory-protection mechanisms (ASLR, guard pages, safe allocators) that block exploitation of the CWE-122 flaw even if the vulnerable parser is reached.
Requires validation of all input supplied to the Compound Document Parser, preventing malformed data from reaching the unchecked append operation.