- Package:
- src:r-cran-readxl
- Source:
- src:r-cran-readxl
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-06-24 13:15:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for libxls, which is part of r-cran-readxl: CVE-2026-26824[0]: | libxls through version 1.6.3 contains a use of uninitialized memory | vulnerability in the OLE container parser. Memory allocated for the | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully | initialized before being consumed by ole2_validate_sector_chain(), | which may result in application crashes or potential information | disclosure when processing a crafted XLS file https://github.com/libxls/libxls/issues/156 CVE-2026-26825[1]: | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 | when parsing malformed XLS files. The issue is reachable via | xls_parseWorkBook() and is triggered by uninitialized heap memory | originating from the OLE layer (ole2_read). The flaw is detectable | with MemorySanitizer (MSAN) and can lead to undefined behavior, | incorrect parsing logic, or potential information disclosure. https://github.com/libxls/libxls/issues/155 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-26824 https://www.cve.org/CVERecord?id=CVE-2026-26824 [1] https://security-tracker.debian.org/tracker/CVE-2026-26825 https://www.cve.org/CVERecord?id=CVE-2026-26825 Please adjust the affected versions in the BTS as needed.
Hi Jenny, Just like a few years ago, there appears to a (pair of) new CVE(s) for readxl. Can I assume you will deal with this at the CRAN package level? The GH issues linked below were opened quite some time ago, and there is no follow-up from Evan I can see :-/ Have you been in contact with him? Cheers, Dirk On 12 June 2026 at 16:16, Moritz Mühlenhoff wrote: | Source: r-cran-readxl | X-Debbugs-CC: team@security.debian.org | Severity: important | Tags: security | | Hi, | | The following vulnerabilities were published for libxls, which is | part of r-cran-readxl: | | CVE-2026-26824[0]: | | libxls through version 1.6.3 contains a use of uninitialized memory | | vulnerability in the OLE container parser. Memory allocated for the | | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully | | initialized before being consumed by ole2_validate_sector_chain(), | | which may result in application crashes or potential information | | disclosure when processing a crafted XLS file | | https://github.com/libxls/libxls/issues/156 | | | CVE-2026-26825[1]: | | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 | | when parsing malformed XLS files. The issue is reachable via | | xls_parseWorkBook() and is triggered by uninitialized heap memory | | originating from the OLE layer (ole2_read). The flaw is detectable | | with MemorySanitizer (MSAN) and can lead to undefined behavior, | | incorrect parsing logic, or potential information disclosure. | | https://github.com/libxls/libxls/issues/155 | | | If you fix the vulnerabilities please also make sure to include the | CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. | | For further information see: | | [0] https://security-tracker.debian.org/tracker/CVE-2026-26824 | https://www.cve.org/CVERecord?id=CVE-2026-26824 | [1] https://security-tracker.debian.org/tracker/CVE-2026-26825 | https://www.cve.org/CVERecord?id=CVE-2026-26825 | | Please adjust the affected versions in the BTS as needed.
Hi Dirk, I do follow the libxls repo in a very passive manner, so presumably my eyeballs have been exposed to this. But, no, I haven't got a true open issue about it, in the literal or metaphorical sense, nor have I corresponded with Evan. Will you open a readxl issue stating that it's creating issues for you on Debian? That at least puts it on my radar. Thanks, Jenny
On 12 June 2026 at 10:46, Jenny Bryan wrote: | Hi Dirk, | | I do follow the libxls repo in a very passive manner, so presumably my | eyeballs have been exposed to this. | | But, no, I haven't got a true open issue about it, in the literal or | metaphorical sense, nor have I corresponded with Evan. | | Will you open a readxl issue stating that it's creating issues for you | on Debian? That at least puts it on my radar. Done, as you likely saw. Now at https://github.com/tidyverse/readxl/issues/795 Dirk | Thanks, Jenny | | On Fri, Jun 12, 2026 at 8:18 AM Dirk Eddelbuettel <edd@debian.org> wrote: | > | > | > Hi Jenny, | > | > Just like a few years ago, there appears to a (pair of) new CVE(s) for | > readxl. | > | > Can I assume you will deal with this at the CRAN package level? The GH issues | > linked below were opened quite some time ago, and there is no follow-up from | > Evan I can see :-/ Have you been in contact with him? | > | > Cheers, Dirk | > | > On 12 June 2026 at 16:16, Moritz Mühlenhoff wrote: | > | Source: r-cran-readxl | > | X-Debbugs-CC: team@security.debian.org | > | Severity: important | > | Tags: security | > | | > | Hi, | > | | > | The following vulnerabilities were published for libxls, which is | > | part of r-cran-readxl: | > | | > | CVE-2026-26824[0]: | > | | libxls through version 1.6.3 contains a use of uninitialized memory | > | | vulnerability in the OLE container parser. Memory allocated for the | > | | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully | > | | initialized before being consumed by ole2_validate_sector_chain(), | > | | which may result in application crashes or potential information | > | | disclosure when processing a crafted XLS file | > | | > | https://github.com/libxls/libxls/issues/156 | > | | > | | > | CVE-2026-26825[1]: | > | | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 | > | | when parsing malformed XLS files. The issue is reachable via | > | | xls_parseWorkBook() and is triggered by uninitialized heap memory | > | | originating from the OLE layer (ole2_read). The flaw is detectable | > | | with MemorySanitizer (MSAN) and can lead to undefined behavior, | > | | incorrect parsing logic, or potential information disclosure. | > | | > | https://github.com/libxls/libxls/issues/155 | > | | > | | > | If you fix the vulnerabilities please also make sure to include the | > | CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. | > | | > | For further information see: | > | | > | [0] https://security-tracker.debian.org/tracker/CVE-2026-26824 | > | https://www.cve.org/CVERecord?id=CVE-2026-26824 | > | [1] https://security-tracker.debian.org/tracker/CVE-2026-26825 | > | https://www.cve.org/CVERecord?id=CVE-2026-26825 | > | | > | Please adjust the affected versions in the BTS as needed. | > | > -- | > Dirk Eddelbuettel | edd@debian.org | http://dirk.eddelbuettel.com | > | > Support my Tour de Shore 2026 ride benefiting Maywood Fine Arts! More info at | > https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_2026
On 12 June 2026 at 12:54, Dirk Eddelbuettel wrote: | | On 12 June 2026 at 10:46, Jenny Bryan wrote: | | Hi Dirk, | | | | I do follow the libxls repo in a very passive manner, so presumably my | | eyeballs have been exposed to this. | | | | But, no, I haven't got a true open issue about it, in the literal or | | metaphorical sense, nor have I corresponded with Evan. | | | | Will you open a readxl issue stating that it's creating issues for you | | on Debian? That at least puts it on my radar. | | Done, as you likely saw. Now at https://github.com/tidyverse/readxl/issues/795 For the Debian bug tracker record, there has been zero follow-up upstream at readxl. Just how there has been zero follow-up at its upstream, libxls, since the issue were opened there. Not great. Dirk | Dirk | | | Thanks, Jenny | | | | On Fri, Jun 12, 2026 at 8:18 AM Dirk Eddelbuettel <edd@debian.org> wrote: | | > | | > | | > Hi Jenny, | | > | | > Just like a few years ago, there appears to a (pair of) new CVE(s) for | | > readxl. | | > | | > Can I assume you will deal with this at the CRAN package level? The GH issues | | > linked below were opened quite some time ago, and there is no follow-up from | | > Evan I can see :-/ Have you been in contact with him? | | > | | > Cheers, Dirk | | > | | > On 12 June 2026 at 16:16, Moritz Mühlenhoff wrote: | | > | Source: r-cran-readxl | | > | X-Debbugs-CC: team@security.debian.org | | > | Severity: important | | > | Tags: security | | > | | | > | Hi, | | > | | | > | The following vulnerabilities were published for libxls, which is | | > | part of r-cran-readxl: | | > | | | > | CVE-2026-26824[0]: | | > | | libxls through version 1.6.3 contains a use of uninitialized memory | | > | | vulnerability in the OLE container parser. Memory allocated for the | | > | | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully | | > | | initialized before being consumed by ole2_validate_sector_chain(), | | > | | which may result in application crashes or potential information | | > | | disclosure when processing a crafted XLS file | | > | | | > | https://github.com/libxls/libxls/issues/156 | | > | | | > | | | > | CVE-2026-26825[1]: | | > | | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 | | > | | when parsing malformed XLS files. The issue is reachable via | | > | | xls_parseWorkBook() and is triggered by uninitialized heap memory | | > | | originating from the OLE layer (ole2_read). The flaw is detectable | | > | | with MemorySanitizer (MSAN) and can lead to undefined behavior, | | > | | incorrect parsing logic, or potential information disclosure. | | > | | | > | https://github.com/libxls/libxls/issues/155 | | > | | | > | | | > | If you fix the vulnerabilities please also make sure to include the | | > | CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. | | > | | | > | For further information see: | | > | | | > | [0] https://security-tracker.debian.org/tracker/CVE-2026-26824 | | > | https://www.cve.org/CVERecord?id=CVE-2026-26824 | | > | [1] https://security-tracker.debian.org/tracker/CVE-2026-26825 | | > | https://www.cve.org/CVERecord?id=CVE-2026-26825 | | > | | | > | Please adjust the affected versions in the BTS as needed. | | > | | > -- | | > Dirk Eddelbuettel | edd@debian.org | http://dirk.eddelbuettel.com | | > | | > Support my Tour de Shore 2026 ride benefiting Maywood Fine Arts! More info at | | > https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_2026 | | -- | Dirk Eddelbuettel | edd@debian.org | http://dirk.eddelbuettel.com | | Support my Tour de Shore 2026 ride benefiting Maywood Fine Arts! More info at | https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_2026