CVE-2026-3663
Published: 07 March 2026
Summary
CVE-2026-3663 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Xlnt-Community Xlnt. Its CVSS base score is 3.3 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in XLSX parser enables local application crash/DoS via malicious file (T1499.004 Application or System Exploitation); no RCE, info leak, or priv-esc per CVSS (C:N/I:N/A:L, AV:L).
NVD Description
A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. The attack is only possible with local…
more
access. The exploit has been made public and could be used. The patch is named 147. It is recommended to apply a patch to fix this issue.
Deeper analysisAI
CVE-2026-3663 is an out-of-bounds read vulnerability in the xlnt-community xlnt library versions up to 1.6.1. The issue resides in the XLSX File Parser component, specifically the function xlnt::detail::compound_document_istreambuf::xsgetn within the file source/detail/cryptography/compound_document.cpp. Manipulation of input triggers the out-of-bounds read, as documented under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read). The vulnerability carries a CVSS v3.1 base score of 3.3.
Exploitation requires local access (AV:L) with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N), resulting in unchanged scope (S:U). Successful exploitation leads to low-impact availability disruption (A:L) with no confidentiality (C:N) or integrity (I:N) effects, potentially causing a denial-of-service such as application crash.
Advisories recommend applying the patch named 147, available via the xlnt-community/xlnt GitHub pull request at https://github.com/xlnt-community/xlnt/pull/147, which addresses the issue reported in https://github.com/xlnt-community/xlnt/issues/139. A public proof-of-concept exploit exists at https://github.com/oneafter/0128/blob/main/xl3/repro.
The exploit has been made public, increasing the risk for unpatched xlnt deployments parsing untrusted XLSX files locally.
Details
- CWE(s)