CVE-2026-3664 identifies a vulnerability in the xlnt-community xlnt library, a C++ library used for reading and writing XLSX spreadsheet files. The issue resides in the function xlnt::detail::compound_document::read_directory, located in the source/detail/cryptography/compound_document.cpp file, which handles parsing of encrypted XLSX files. Specifically, the vulnerability is an out-of-bounds read caused by improper bounds checking during directory reading operations within compound document structures. This flaw can be triggered by a local attacker who can supply manipulated XLSX files to the parser, causing it to read memory beyond the intended buffer limits. Although the attack vector is local execution with limited privileges, the out-of-bounds read could lead to information disclosure or application crashes, potentially affecting the stability or confidentiality of the application using the library. The vulnerability affects xlnt versions 1.6.0 and 1.6.1. The CVSS 4.0 vector indicates low attack complexity, no user interaction, and no privileges required beyond local access. The vulnerability has been publicly disclosed, and a patch (identified as patch 147) is available to fix the issue. No known exploits have been reported in the wild to date. Organizations relying on xlnt for XLSX file handling, especially in environments where local users may be untrusted or where XLSX files are processed from local sources, should apply the patch promptly to mitigate risk.

The primary impact of CVE-2026-3664 is the potential for information disclosure or application instability due to out-of-bounds memory reads. While the vulnerability does not allow remote exploitation or privilege escalation, local attackers with limited privileges could exploit it to read unintended memory areas, possibly leaking sensitive information processed by the application. Additionally, the out-of-bounds read could cause application crashes or denial of service, affecting availability. For organizations, this could lead to compromised data confidentiality or disruption of services that rely on the xlnt library for XLSX file processing. The impact is more significant in environments where local users are untrusted or where XLSX files are processed automatically from local sources. Since the vulnerability is limited to local execution, remote systems are less directly at risk unless combined with other attack vectors. However, any application using vulnerable xlnt versions in multi-user or shared environments should consider the risk of insider threats or malware exploiting this flaw.

To mitigate CVE-2026-3664, organizations should immediately apply the vendor-provided patch (patch 147) that addresses the out-of-bounds read in xlnt versions 1.6.0 and 1.6.1. Beyond patching, organizations should: 1) Restrict local access to systems running applications that use the xlnt library to trusted users only, minimizing the risk of local exploitation. 2) Implement strict input validation and sandboxing for XLSX files processed locally to prevent malformed or malicious files from triggering vulnerabilities. 3) Monitor application logs and system behavior for signs of crashes or abnormal memory access patterns that could indicate exploitation attempts. 4) Where possible, upgrade to later versions of xlnt that have incorporated security fixes and improvements. 5) Conduct regular security audits of software dependencies, especially libraries handling complex file formats like XLSX, to detect and remediate vulnerabilities promptly. 6) Educate developers and system administrators about the risks of local file parsing vulnerabilities and encourage secure coding and deployment practices.