Your message dated Fri, 12 Jun 2026 10:18:11 -0500
with message-id <[email protected]>
has caused the   report #1139808,
regarding r-cran-readxl: CVE-2026-26824 CVE-2026-26825
to be marked as having been forwarded to the upstream software
author(s) Jennifer Bryan <[email protected]>

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139808
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Hi Jenny,

Just like a few years ago, there appears to a (pair of) new CVE(s) for
readxl.

Can I assume you will deal with this at the CRAN package level? The GH issues
linked below were opened quite some time ago, and there is no follow-up from
Evan I can see :-/  Have you been in contact with him?

Cheers, Dirk

On 12 June 2026 at 16:16, Moritz Mühlenhoff wrote:
| Source: r-cran-readxl
| X-Debbugs-CC: [email protected]
| Severity: important
| Tags: security
| 
| Hi,
| 
| The following vulnerabilities were published for libxls, which is
| part of r-cran-readxl:
| 
| CVE-2026-26824[0]:
| | libxls through version 1.6.3 contains a use of uninitialized memory
| | vulnerability in the OLE container parser. Memory allocated for the
| | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully
| | initialized before being consumed by ole2_validate_sector_chain(),
| | which may result in application crashes or potential information
| | disclosure when processing a crafted XLS file
| 
| https://github.com/libxls/libxls/issues/156
| 
| 
| CVE-2026-26825[1]:
| | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3
| | when parsing malformed XLS files. The issue is reachable via
| | xls_parseWorkBook() and is triggered by uninitialized heap memory
| | originating from the OLE layer (ole2_read). The flaw is detectable
| | with MemorySanitizer (MSAN) and can lead to undefined behavior,
| | incorrect parsing logic, or potential information disclosure.
| 
| https://github.com/libxls/libxls/issues/155
| 
| 
| If you fix the vulnerabilities please also make sure to include the
| CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
| 
| For further information see:
| 
| [0] https://security-tracker.debian.org/tracker/CVE-2026-26824
|     https://www.cve.org/CVERecord?id=CVE-2026-26824
| [1] https://security-tracker.debian.org/tracker/CVE-2026-26825
|     https://www.cve.org/CVERecord?id=CVE-2026-26825
| 
| Please adjust the affected versions in the BTS as needed.

-- 
Dirk Eddelbuettel | [email protected] | http://dirk.eddelbuettel.com

Support my Tour de Shore 2026 ride benefiting Maywood Fine Arts! More info at
https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_2026

--- End Message ---

Reply via email to