PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54063 qax-os CVE debrief

CVE-2026-54063 is a denial-of-service vulnerability in Excelize, a Go library for reading and writing Microsoft Excel spreadsheets. The vulnerability exists in the checkSheet() function, which uses an attacker-controlled XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required.

Vendor
qax-os
Product
excelize
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Developers and administrators of services that use the Excelize library to open XLSX files, especially those that call GetCellValue, should be aware of this vulnerability. This includes applications that process XLSX files from untrusted sources.

Technical summary

The checkSheet() function in Excelize uses an attacker-controlled <row r='N'> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). This allows a specially crafted XLSX file to trigger denial-of-service variants, including out-of-memory process kills and runtime panics via out-of-bounds slice indexing.

Defensive priority

High

Recommended defensive actions

  • Update Excelize to version 2.11.0 or later
  • Validate XLSX file inputs to ensure they conform to expected formats
  • Implement try-catch blocks to handle potential exceptions when processing XLSX files
  • Limit the size of XLSX files that can be processed
  • Monitor for suspicious XLSX file processing activity

Evidence notes

The CVE record was published on 2026-07-10T17:16:58.440Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. No additional information is available about the vulnerability beyond what is provided in the CVE record and NVD entry. Defenders should verify the Excelize library version used in their applications and ensure it is updated to version 2.11.0 or later to mitigate this vulnerability. They should also validate XLSX file inputs and implement try-catch blocks to handle potential exceptions when processing XLSX files.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:16:58.440Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.