Your message dated Fri, 12 Jun 2026 10:18:11 -0500 with message-id <[email protected]> has caused the report #1139808, regarding r-cran-readxl: CVE-2026-26824 CVE-2026-26825 to be marked as having been forwarded to the upstream software author(s) Jennifer Bryan <[email protected]>
(NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1139808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139808 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Hi Jenny, Just like a few years ago, there appears to a (pair of) new CVE(s) for readxl. Can I assume you will deal with this at the CRAN package level? The GH issues linked below were opened quite some time ago, and there is no follow-up from Evan I can see :-/ Have you been in contact with him? Cheers, Dirk On 12 June 2026 at 16:16, Moritz Mühlenhoff wrote: | Source: r-cran-readxl | X-Debbugs-CC: [email protected] | Severity: important | Tags: security | | Hi, | | The following vulnerabilities were published for libxls, which is | part of r-cran-readxl: | | CVE-2026-26824[0]: | | libxls through version 1.6.3 contains a use of uninitialized memory | | vulnerability in the OLE container parser. Memory allocated for the | | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully | | initialized before being consumed by ole2_validate_sector_chain(), | | which may result in application crashes or potential information | | disclosure when processing a crafted XLS file | | https://github.com/libxls/libxls/issues/156 | | | CVE-2026-26825[1]: | | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 | | when parsing malformed XLS files. The issue is reachable via | | xls_parseWorkBook() and is triggered by uninitialized heap memory | | originating from the OLE layer (ole2_read). The flaw is detectable | | with MemorySanitizer (MSAN) and can lead to undefined behavior, | | incorrect parsing logic, or potential information disclosure. | | https://github.com/libxls/libxls/issues/155 | | | If you fix the vulnerabilities please also make sure to include the | CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. | | For further information see: | | [0] https://security-tracker.debian.org/tracker/CVE-2026-26824 | https://www.cve.org/CVERecord?id=CVE-2026-26824 | [1] https://security-tracker.debian.org/tracker/CVE-2026-26825 | https://www.cve.org/CVERecord?id=CVE-2026-26825 | | Please adjust the affected versions in the BTS as needed. -- Dirk Eddelbuettel | [email protected] | http://dirk.eddelbuettel.com Support my Tour de Shore 2026 ride benefiting Maywood Fine Arts! More info at https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_2026
--- End Message ---

