Vulnerability-Lookup

WID-SEC-W-2026-1929

Vulnerability from csaf_certbund - Published: 2026-06-15 22:00 - Updated: 2026-06-15 22:00

Summary

LibreOffice: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: LibreOffice ist eine leistungsfähige Office-Suite, voll kompatibel mit den Programmen anderer großer Office-Anbieter, für verbreitete Betriebssysteme wie Windows, GNU/Linux und Apple Mac OS X geeignet. LibreOffice bietet sechs Anwendungen für die Erstellung von Dokumenten und zur Datenverarbeitung: Writer, Calc, Impress, Draw, Base und Math.

Angriff: Ein lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX

CVE-2026-6039

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LibreOffice <25.8.7 Open Source / LibreOffice		<25.8.7
Open Source LibreOffice <26.2.3 Open Source / LibreOffice		<26.2.3

CVE-2026-6040

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LibreOffice <25.8.7 Open Source / LibreOffice		<25.8.7
Open Source LibreOffice <26.2.3 Open Source / LibreOffice		<26.2.3

CVE-2026-6045

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LibreOffice <25.8.7 Open Source / LibreOffice		<25.8.7
Open Source LibreOffice <26.2.3 Open Source / LibreOffice		<26.2.3

CVE-2026-6047

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LibreOffice <25.8.7 Open Source / LibreOffice		<25.8.7
Open Source LibreOffice <26.2.3 Open Source / LibreOffice		<26.2.3

CVE-2026-8356

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LibreOffice <25.8.7 Open Source / LibreOffice		<25.8.7
Open Source LibreOffice <26.2.3 Open Source / LibreOffice		<26.2.3

CVE-2026-8357

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LibreOffice <25.8.7 Open Source / LibreOffice		<25.8.7
Open Source LibreOffice <26.2.3 Open Source / LibreOffice		<26.2.3

CVE-2026-8358

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LibreOffice <25.8.7 Open Source / LibreOffice		<25.8.7
Open Source LibreOffice <26.2.3 Open Source / LibreOffice		<26.2.3

References

17 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/advisories/GHSA-5JVM-83Q6-H5JJ	external
https://github.com/advisories/GHSA-PP4W-C8M6-4XVF	external
https://github.com/advisories/GHSA-MC63-87JP-8648	external
https://github.com/advisories/GHSA-WQ72-H3FH-W757	external
https://github.com/advisories/GHSA-8R7P-3QW5-WXM5	external
https://github.com/advisories/GHSA-J779-PCC6-8C5F	external
https://github.com/advisories/GHSA-GPC5-JGQJ-XP2Q	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-36734	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-36735	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-36736	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-36737	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-36738	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-36739	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-36740	external
https://security-tracker.debian.org/tracker/DSA-6346-1	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "LibreOffice ist eine leistungsf\u00e4hige Office-Suite, voll kompatibel mit den Programmen anderer gro\u00dfer Office-Anbieter, f\u00fcr verbreitete Betriebssysteme wie Windows, GNU/Linux und Apple Mac OS X geeignet. LibreOffice bietet sechs Anwendungen f\u00fcr die Erstellung von Dokumenten und zur Datenverarbeitung: Writer, Calc, Impress, Draw, Base und Math.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1929 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1929.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1929 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1929"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-06-15",
        "url": "https://github.com/advisories/GHSA-5JVM-83Q6-H5JJ"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-06-15",
        "url": "https://github.com/advisories/GHSA-PP4W-C8M6-4XVF"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-06-15",
        "url": "https://github.com/advisories/GHSA-MC63-87JP-8648"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-06-15",
        "url": "https://github.com/advisories/GHSA-WQ72-H3FH-W757"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-06-15",
        "url": "https://github.com/advisories/GHSA-8R7P-3QW5-WXM5"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-06-15",
        "url": "https://github.com/advisories/GHSA-J779-PCC6-8C5F"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-06-15",
        "url": "https://github.com/advisories/GHSA-GPC5-JGQJ-XP2Q"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-06-15",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-36734"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-06-15",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-36735"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-06-15",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-36736"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-06-15",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-36737"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-06-15",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-36738"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-06-15",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-36739"
      },
      {
        "category": "external",
        "summary": "EU Vulnerability Database vom 2026-06-15",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-36740"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory vom 2026-06-15",
        "url": "https://security-tracker.debian.org/tracker/DSA-6346-1"
      }
    ],
    "source_lang": "en-US",
    "title": "LibreOffice: Mehrere Schwachstellen erm\u00f6glichen nicht spezifizierten Angriff",
    "tracking": {
      "current_release_date": "2026-06-15T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-16T08:54:53.357+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1929",
      "initial_release_date": "2026-06-15T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-06-15T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c26.2.3",
                "product": {
                  "name": "Open Source LibreOffice \u003c26.2.3",
                  "product_id": "T055403"
                }
              },
              {
                "category": "product_version",
                "name": "26.2.3",
                "product": {
                  "name": "Open Source LibreOffice 26.2.3",
                  "product_id": "T055403-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:libreoffice:libreoffice:26.2.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c25.8.7",
                "product": {
                  "name": "Open Source LibreOffice \u003c25.8.7",
                  "product_id": "T055404"
                }
              },
              {
                "category": "product_version",
                "name": "25.8.7",
                "product": {
                  "name": "Open Source LibreOffice 25.8.7",
                  "product_id": "T055404-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:libreoffice:libreoffice:25.8.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "LibreOffice"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-6039",
      "product_status": {
        "known_affected": [
          "T055404",
          "T055403"
        ]
      },
      "release_date": "2026-06-15T22:00:00.000+00:00",
      "title": "CVE-2026-6039"
    },
    {
      "cve": "CVE-2026-6040",
      "product_status": {
        "known_affected": [
          "T055404",
          "T055403"
        ]
      },
      "release_date": "2026-06-15T22:00:00.000+00:00",
      "title": "CVE-2026-6040"
    },
    {
      "cve": "CVE-2026-6045",
      "product_status": {
        "known_affected": [
          "T055404",
          "T055403"
        ]
      },
      "release_date": "2026-06-15T22:00:00.000+00:00",
      "title": "CVE-2026-6045"
    },
    {
      "cve": "CVE-2026-6047",
      "product_status": {
        "known_affected": [
          "T055404",
          "T055403"
        ]
      },
      "release_date": "2026-06-15T22:00:00.000+00:00",
      "title": "CVE-2026-6047"
    },
    {
      "cve": "CVE-2026-8356",
      "product_status": {
        "known_affected": [
          "T055404",
          "T055403"
        ]
      },
      "release_date": "2026-06-15T22:00:00.000+00:00",
      "title": "CVE-2026-8356"
    },
    {
      "cve": "CVE-2026-8357",
      "product_status": {
        "known_affected": [
          "T055404",
          "T055403"
        ]
      },
      "release_date": "2026-06-15T22:00:00.000+00:00",
      "title": "CVE-2026-8357"
    },
    {
      "cve": "CVE-2026-8358",
      "product_status": {
        "known_affected": [
          "T055404",
          "T055403"
        ]
      },
      "release_date": "2026-06-15T22:00:00.000+00:00",
      "title": "CVE-2026-8358"
    }
  ]
}

CVE-2026-6039 (GCVE-0-2026-6039)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:21 – Updated: 2026-06-15 18:17

Title

Heap buffer overflow in DXF polyline import

Summary

LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-787 - Out-of-bounds Write
CWE-197 - Numeric Truncation Error

Assigner

Document Fdn.

References

1 reference

URL	Tags
https://www.libreoffice.org/about-us/security/adv…

Impacted products

1 product

Vendor	Product	Version
The Document Foundation	LibreOffice	Affected: 25.8 , < < 25.8.7 (25.8 series) Affected: 26.2 , < < 26.2.3 (26.2 series)

Date Public

2026-06-15 00:00

Credits

Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6039",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:16:06.325169Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:17:13.933Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-197",
              "description": "CWE-197 Numeric Truncation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:21:16.514Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6039"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in DXF polyline import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6039",
    "datePublished": "2026-06-15T16:21:16.514Z",
    "dateReserved": "2026-04-09T16:29:22.953Z",
    "dateUpdated": "2026-06-15T18:17:13.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6040 (GCVE-0-2026-6040)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:21 – Updated: 2026-06-15 18:14

Title

Heap use-after-free in ODF number-format blank-width parsing

Summary

A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-416 - Use After Free
CWE-787 - Out-of-bounds Write

Assigner

Document Fdn.

References

1 reference

URL	Tags
https://www.libreoffice.org/about-us/security/adv…

Impacted products

1 product

Vendor	Product	Version
The Document Foundation	LibreOffice	Affected: 25.8 , < < 25.8.7 (25.8 series) Affected: 26.2 , < < 26.2.3 (26.2 series)

Date Public

2026-06-15 00:00

Credits

Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6040",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:14:24.996356Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:14:30.848Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.\u003c/p\u003e"
            }
          ],
          "value": "A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:21:53.903Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6040"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap use-after-free in ODF number-format blank-width parsing",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6040",
    "datePublished": "2026-06-15T16:21:53.903Z",
    "dateReserved": "2026-04-09T16:42:11.799Z",
    "dateUpdated": "2026-06-15T18:14:30.848Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6045 (GCVE-0-2026-6045)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:22 – Updated: 2026-06-15 18:13

Title

Heap buffer overflow in EMF+ gradient brush import

Summary

LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-787 - Out-of-bounds Write
CWE-190 - Integer Overflow or Wraparound

Assigner

Document Fdn.

References

1 reference

URL	Tags
https://www.libreoffice.org/about-us/security/adv…

Impacted products

1 product

Vendor	Product	Version
The Document Foundation	LibreOffice	Affected: 25.8 , < < 25.8.7 (25.8 series) Affected: 26.2 , < < 26.2.3 (26.2 series)

Date Public

2026-06-15 00:00

Credits

Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6045",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:12:50.303654Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:13:24.274Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:22:16.574Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6045"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in EMF+ gradient brush import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6045",
    "datePublished": "2026-06-15T16:22:16.574Z",
    "dateReserved": "2026-04-09T19:07:34.963Z",
    "dateUpdated": "2026-06-15T18:13:24.274Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6047 (GCVE-0-2026-6047)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:22 – Updated: 2026-06-15 18:11

Title

Heap buffer overflow in OOXML text box element import

Summary

LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-787 - Out-of-bounds Write
CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Assigner

Document Fdn.

References

1 reference

URL	Tags
https://www.libreoffice.org/about-us/security/adv…

Impacted products

1 product

Vendor	Product	Version
The Document Foundation	LibreOffice	Affected: 25.8 , < < 25.8.7 (25.8 series) Affected: 26.2 , < < 26.2.3 (26.2 series)

Date Public

2026-06-15 00:00

Credits

Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6047",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:11:34.358602Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:11:48.806Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type\u0027s field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type\u0027s field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-843",
              "description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:22:37.208Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6047"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in OOXML text box element import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6047",
    "datePublished": "2026-06-15T16:22:37.208Z",
    "dateReserved": "2026-04-09T19:21:23.491Z",
    "dateUpdated": "2026-06-15T18:11:48.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8356 (GCVE-0-2026-8356)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:23 – Updated: 2026-06-15 18:05

Title

Stack buffer overflow in PPT presentation import

Summary

LibreOffice can import presentations in the legacy binary PPT format. A stack buffer overflow existed when importing a colour-replacement record. Two fixed-size colour tables were filled from the file, but the write position was not reset between the two passes over the record, so a file whose combined colour counts exceeded the table size wrote past the end of the tables on the stack. In fixed versions the unused second pass is no longer read into those tables.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-787 - Out-of-bounds Write
CWE-121 - Stack-based Buffer Overflow

Assigner

Document Fdn.

References

1 reference

URL	Tags
https://www.libreoffice.org/about-us/security/adv…

Impacted products

1 product

Vendor	Product	Version
The Document Foundation	LibreOffice	Affected: 26.2 , < < 26.2.4 (26.2 series)

Date Public

2026-06-15 00:00

Credits

Anthropic (automated discovery using Claude) Arthur Chan of Ada Logics (validation and reporting)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8356",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:04:56.736672Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:05:22.786Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 26.2.4",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Arthur Chan of Ada Logics (validation and reporting)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice can import presentations in the legacy binary PPT format. A stack buffer overflow existed when importing a colour-replacement record. Two fixed-size colour tables were filled from the file, but the write position was not reset between the two passes over the record, so a file whose combined colour counts exceeded the table size wrote past the end of the tables on the stack. In fixed versions the unused second pass is no longer read into those tables.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice can import presentations in the legacy binary PPT format. A stack buffer overflow existed when importing a colour-replacement record. Two fixed-size colour tables were filled from the file, but the write position was not reset between the two passes over the record, so a file whose combined colour counts exceeded the table size wrote past the end of the tables on the stack. In fixed versions the unused second pass is no longer read into those tables."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:23:06.477Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-8356"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stack buffer overflow in PPT presentation import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-8356",
    "datePublished": "2026-06-15T16:23:06.477Z",
    "dateReserved": "2026-05-11T18:42:20.783Z",
    "dateUpdated": "2026-06-15T18:05:22.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8357 (GCVE-0-2026-8357)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:23 – Updated: 2026-06-15 18:03

Title

Heap buffer overflow in Calc formula compilation

Summary

LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-787 - Out-of-bounds Write
CWE-193 - Off-by-one Error

Assigner

Document Fdn.

References

1 reference

URL	Tags
https://www.libreoffice.org/about-us/security/adv…

Impacted products

1 product

Vendor	Product	Version
The Document Foundation	LibreOffice	Affected: 26.2 , < < 26.2.4 (26.2 series)

Date Public

2026-06-15 00:00

Credits

Anthropic (automated discovery using Claude) Arthur Chan of Ada Logics (validation and reporting)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8357",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:03:49.986573Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:03:57.153Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 26.2.4",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Arthur Chan of Ada Logics (validation and reporting)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-193",
              "description": "CWE-193 Off-by-one Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:23:37.518Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-8357"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in Calc formula compilation",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-8357",
    "datePublished": "2026-06-15T16:23:37.518Z",
    "dateReserved": "2026-05-11T18:55:27.138Z",
    "dateUpdated": "2026-06-15T18:03:57.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8358 (GCVE-0-2026-8358)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:24 – Updated: 2026-06-16 19:27

Title

Heap buffer overflow in spreadsheet tracked-changes import

Summary

LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
CWE-787 - Out-of-bounds Write

Assigner

Document Fdn.

References

1 reference

URL	Tags
https://www.libreoffice.org/about-us/security/adv…

Impacted products

1 product

Vendor	Product	Version
The Document Foundation	LibreOffice	Affected: 25.8 , < < 25.8.7 (26.2 series) Affected: 26.2 , < < 26.2.4 (26.2 series)

Date Public

2026-06-15 00:00

Credits

Anthropic (automated discovery using Claude) Arthur Chan of Ada Logics (validation and reporting)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8358",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:01:43.169114Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:01:48.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "26.2 series"
            },
            {
              "lessThan": "\u003c 26.2.4",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Arthur Chan of Ada Logics (validation and reporting)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-843",
              "description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T19:27:16.142Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-8358"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in spreadsheet tracked-changes import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-8358",
    "datePublished": "2026-06-15T16:24:03.796Z",
    "dateReserved": "2026-05-11T19:01:49.347Z",
    "dateUpdated": "2026-06-16T19:27:16.142Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1929

CVE-2026-6039 (GCVE-0-2026-6039)

CVE-2026-6040 (GCVE-0-2026-6040)

CVE-2026-6045 (GCVE-0-2026-6045)

CVE-2026-6047 (GCVE-0-2026-6047)

CVE-2026-8356 (GCVE-0-2026-8356)

CVE-2026-8357 (GCVE-0-2026-8357)

CVE-2026-8358 (GCVE-0-2026-8358)

Tags

Sightings

Nomenclature