CVE-2024-48877: 
Linux Debian vulnerability analysis and mitigation

A memory corruption vulnerability exists in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. The vulnerability, identified as CVE-2024-48877, was discovered by Cisco Talos and publicly disclosed on June 2, 2025. The affected software is part of the catdoc suite of command-line utilities used for extracting plaintext from Microsoft Office documents (Talos Report).

The vulnerability occurs in the parsesst function when processing SST (Shared String Table) and CONTINUE records. On 32-bit platforms, an integer overflow can occur during memory allocation for string references. The vulnerability is triggered when the product of a 32-bit integer and the size of a pointer exceeds 32-bits, resulting in an undersized array allocation. This leads to a heap buffer overflow when the subsequent loop writes outside the bounds of the undersized array. The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and is classified as CWE-680 (Integer Overflow to Buffer Overflow) ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2024-2128)).

When successfully exploited, this vulnerability can lead to a heap buffer overflow condition. An attacker can trigger this vulnerability by providing a specially crafted malicious file, potentially leading to arbitrary code execution with the privileges of the application processing the malicious file (Talos Report).

The vulnerability was reported to the vendor on January 7, 2025, with subsequent contact on January 14, 2025. The vendor disclosure occurred on January 16, 2025, and the public release was made on June 2, 2025 (Talos Report).