CVE-2026-3664 is a security vulnerability identified in the xlnt-community xlnt library, versions 1.6.0 and 1.6.1. The vulnerability arises from an out-of-bounds read condition in the function xlnt::detail::compound_document::read_directory, located in the source/detail/cryptography/compound_document.cpp file. This function is responsible for parsing encrypted XLSX files, specifically reading directory structures within compound documents. An attacker with local access and low privileges can manipulate input to trigger an out-of-bounds read, potentially causing the application to read memory outside the intended buffer boundaries. This can lead to information disclosure or application crashes, impacting confidentiality and availability. The attack vector is local, requiring no user interaction or elevated privileges, which limits remote exploitation but still poses a risk in multi-user or shared environments. The vulnerability has been publicly disclosed, and a patch (identified as patch 147) is available to remediate the issue. The CVSS v4.0 score of 4.8 reflects a medium severity, considering the local attack vector, low complexity, and limited impact scope. No known exploits are currently active in the wild, but the public disclosure increases the risk of future exploitation. Organizations using xlnt for XLSX file parsing, especially those handling encrypted files, should prioritize patching to prevent potential data leakage or denial of service.

The primary impact of CVE-2026-3664 is the potential for unauthorized disclosure of memory contents due to an out-of-bounds read in the encrypted XLSX file parser. This can compromise confidentiality by exposing sensitive data residing in adjacent memory areas. Additionally, the vulnerability may cause application instability or crashes, affecting availability. Since exploitation requires local access with low privileges, the threat is significant in environments where multiple users share systems or where untrusted users have local access. The vulnerability does not allow remote exploitation or privilege escalation, limiting its impact on large-scale networked environments. However, in organizations relying on xlnt for processing encrypted spreadsheets, especially in desktop applications or local services, this vulnerability could be leveraged by malicious insiders or malware to extract sensitive information or disrupt operations. The absence of user interaction and the low complexity of exploitation increase the risk in applicable scenarios. Overall, the impact is moderate but should not be underestimated in sensitive or multi-user environments.

To mitigate CVE-2026-3664, organizations should immediately apply the official patch (patch 147) released by the xlnt-community to versions 1.6.0 and 1.6.1. Beyond patching, organizations should implement strict access controls to limit local access to systems running vulnerable versions of xlnt, reducing the risk of exploitation by unauthorized users. Employ application whitelisting and endpoint protection to detect and prevent execution of untrusted code that might attempt to exploit this vulnerability. Conduct thorough code reviews and testing when integrating xlnt into custom applications, ensuring that input validation and error handling are robust around encrypted XLSX file parsing. Monitor system logs for unusual crashes or memory access errors that could indicate exploitation attempts. Where feasible, isolate systems handling sensitive encrypted XLSX files to minimize exposure. Finally, maintain an up-to-date inventory of software components to quickly identify and remediate vulnerable instances of xlnt.