{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-41034", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T06:06:44.178Z", "datePublished": "2026-04-16T06:06:44.570Z", "dateUpdated": "2026-04-16T06:13:45.134Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ONLYOFFICE DocumentServer", "vendor": "Ascensio", "versions": [{"lessThan": "9.3.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T06:13:45.134Z"}, "references": [{"url": "https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass."}], "id": "CVE-2026-41034", "lastModified": "2026-04-16T07:16:30.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T07:16:30.843", "references": [{"source": "cve@mitre.org", "url": "https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.0)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "ONLYOFFICE DocumentServer", "source": "cna", "vendor": "Ascensio"}, "product": "document_server", "vendor": "onlyoffice"}], "analysis": {"en": {"generated_at": "2026-04-16T08:52:59.230121+00:00", "value": {"mitigation_remediation": ["Upgrade ONLYOFFICE DocumentServer to 9.3.0 or later.", "If an upgrade is not immediately possible, block or disable XLS file uploads or the conversion feature to prevent exploitation.", "Implement input validation for XLS files and perform strict bounds checking to eliminate untrusted pointer dereferences, following secure coding practices."], "summary": {"action": "Patch", "impact": "Information Disclosure and ASLR Bypass"}, "threat_synthesis": {"affected_systems": "VERSIONS PRIOR TO 9.3.0 of Ascensio ONLYOFFICE DocumentServer are affected. The issue is present in the document conversion component handling XLS files.", "description_and_impact": "The vulnerability is an untrusted pointer dereference that occurs during XLS processing and conversion in ONLYOFFICE DocumentServer. This flaw allows attackers to read memory contents (information leak) and bypass Address Space Layout Randomization, potentially aiding further exploitation. It is a classic memory safety error marked as CWE\u2011125.", "risk_and_exploitability": "The CVSS score of 5 denotes moderate severity, while the lack of an EPSS score means current exploitation probability is unknown. The weakness does not require local privilege escalation; an attacker only needs to supply a crafted XLS file to the server. Because the flaw can subvert ASLR, attackers that discover it may combine it with other remote exploits. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-16T09:00:05.120348+00:00", "title": "Untrusted Pointer Dereference in ONLYOFFICE DocumentServer XLS Processing Causes Information Leak and ASLR Bypass", "updated": "2026-04-16T09:00:05.289492+00:00", "vendors": ["onlyoffice", "onlyoffice$PRODUCT$document_server"]}