CVE-2026-54063: CWE-770: Allocation of Resources Without Limits or Throttling in qax-os excelize
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet() function in github.com/xuri/excelize/v2 uses an attacker-controlled <row r="N"> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required. This issue is fixed in version 2.11.0.
AI Analysis
Technical Summary
The vulnerability in excelize (CVE-2026-54063) arises from the checkSheet() function using an attacker-controlled row attribute value directly as the length argument to allocate a slice without validating it against the Excel row limit of 1,048,576. This allows an attacker to craft XLSX files that cause either a large memory allocation (~16 GB) leading to process termination or a runtime panic due to out-of-bounds slice indexing. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. The vulnerability is fixed in excelize version 2.11.0.
Potential Impact
An attacker can cause denial-of-service by supplying specially crafted XLSX files that trigger excessive memory allocation or runtime panics in applications using vulnerable excelize versions. This can crash or kill the process handling the file. No confidentiality or integrity impact is indicated.
Mitigation Recommendations
Upgrade excelize to version 2.11.0 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor stating the issue is fixed in 2.11.0. No other mitigations are indicated.
CVE-2026-54063: CWE-770: Allocation of Resources Without Limits or Throttling in qax-os excelize
Description
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet() function in github.com/xuri/excelize/v2 uses an attacker-controlled <row r="N"> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required. This issue is fixed in version 2.11.0.
CVSS v3.1
Score 7.5high
Affected software
pkg:golang/github.com/xuri/excelize/v2Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in excelize (CVE-2026-54063) arises from the checkSheet() function using an attacker-controlled row attribute value directly as the length argument to allocate a slice without validating it against the Excel row limit of 1,048,576. This allows an attacker to craft XLSX files that cause either a large memory allocation (~16 GB) leading to process termination or a runtime panic due to out-of-bounds slice indexing. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. The vulnerability is fixed in excelize version 2.11.0.
Potential Impact
An attacker can cause denial-of-service by supplying specially crafted XLSX files that trigger excessive memory allocation or runtime panics in applications using vulnerable excelize versions. This can crash or kill the process handling the file. No confidentiality or integrity impact is indicated.
Mitigation Recommendations
Upgrade excelize to version 2.11.0 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor stating the issue is fixed in 2.11.0. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-11T18:24:35.097Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a511ed468715ace43d68968
Added to database: 07/10/2026, 16:33:24 UTC
Last enriched: 07/10/2026, 16:48:03 UTC
Last updated: 07/10/2026, 19:03:08 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.