CVE-2024-52035: 
Linux Debian vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2024-52035) was discovered in the OLE Document File Allocation Table Parser functionality of catdoc 0.95. The vulnerability was disclosed on June 2, 2025, affecting the catdoc command-line utility and its related tools (xls2csv and catppt) on 32-bit systems. This vulnerability was discovered by a member of Cisco Talos (Talos Report).

The vulnerability exists in the oleinit function where the product of number of sectors and sector size can exceed 32-bits, causing an integer overflow. This results in an undersized memory allocation for the file allocation table buffer. When processing a document, the catdoc utility reads the sector size and number of sectors from the file header, which are used to allocate memory for the file allocation table. If these values cause an overflow, subsequent fread operations can write beyond the allocated buffer boundaries, leading to heap-based memory corruption ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2024-2131)). The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to heap-based memory corruption when processing specially crafted malformed files. This can potentially allow for code execution under the context of the binary. The impact is limited to 32-bit versions of catdoc, xls2csv, and catppt utilities (Talos Report).

As of the disclosure date, there is no official patch available for this vulnerability. Users should exercise caution when processing untrusted Microsoft Office documents with catdoc utilities on 32-bit systems (Talos Report).