CVE-2026-3663
Published: 07 March 2026
Summary
CVE-2026-3663 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Xlnt-Community Xlnt. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3663 is an out-of-bounds read vulnerability in the xlnt-community xlnt library versions up to 1.6.1. The issue resides in the XLSX File Parser component, specifically the function xlnt::detail::compound_document_istreambuf::xsgetn within the file source/detail/cryptography/compound_document.cpp. Manipulation of input triggers the out-of-bounds read, as documented under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read). The vulnerability carries a CVSS v3.1 base score of 3.3.
Exploitation requires local access (AV:L) with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N), resulting in unchanged scope (S:U). Successful exploitation leads to low-impact availability disruption (A:L) with no confidentiality (C:N) or integrity (I:N) effects, potentially causing a denial-of-service such as application crash.
Advisories recommend applying the patch named 147, available via the xlnt-community/xlnt GitHub pull request at https://github.com/xlnt-community/xlnt/pull/147, which addresses the issue reported in https://github.com/xlnt-community/xlnt/issues/139. A public proof-of-concept exploit exists at https://github.com/oneafter/0128/blob/main/xl3/repro.
The exploit has been made public, increasing the risk for unpatched xlnt deployments parsing untrusted XLSX files locally.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10155
Vulnerability details
A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. The attack is only possible with local…
more
access. The exploit has been made public and could be used. The patch is named 147. It is recommended to apply a patch to fix this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in XLSX parser enables local application crash/DoS via malicious file (T1499.004 Application or System Exploitation); no RCE, info leak, or priv-esc per CVSS (C:N/I:N/A:L, AV:L).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the available patch (PR 147) that eliminates the out-of-bounds read in the XLSX parser.
Mandates input validation and bounds checking on untrusted XLSX content before it reaches compound_document_istreambuf::xsgetn.
Requires memory-protection mechanisms that can contain or block the out-of-bounds read from corrupting adjacent memory.