Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Out-of-bounds write vulnerability in The Document Foundation LibreOffice via crafted OOXML documents with mismatched encryption salt parameters.
This issue affects LibreOffice: from 26.2 before 26.2.3, from 25.8 before 25.8.7.
AnalysisAI
Out-of-bounds write in LibreOffice 26.2 before 26.2.3 and 25.8 before 25.8.7 allows local attackers to cause memory corruption and availability impact by opening crafted OOXML documents with mismatched encryption salt parameters. The vulnerability requires user interaction to open a malicious document and affects memory integrity with elevated scope impact on availability.
Technical ContextAI
This vulnerability exists in LibreOffice's OOXML document parser, specifically in the encryption salt parameter handling logic. OOXML (Office Open XML) is the standardized format for Microsoft Office documents and is also used by LibreOffice. When processing Office documents with encryption, the parser must validate and synchronize encryption salt values; a mismatch between expected and actual salt parameters in the document structure causes the parser to write beyond allocated buffer boundaries. This is a classic CWE-787 (Out-of-bounds write) memory corruption vulnerability affecting the encryption/decryption subsystem. The CPE cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:* confirms the vulnerability affects the mainstream LibreOffice product across multiple versions.
RemediationAI
Update LibreOffice to version 26.2.3 or later for the 26.2 branch, or to version 25.8.7 or later for the 25.8 branch. Vendor-released patches are confirmed available from The Document Foundation. As a compensating control before patching, users should disable automatic opening of attachments from untrusted sources and implement document scanning or sandboxing for OOXML files from external parties. Note that sandboxing LibreOffice can prevent system-wide impact but does not prevent the application crash within the sandboxed process. For enterprise deployments, restrict OOXML document processing to trusted internal sources until patches can be applied. See https://www.libreoffice.org/about-us/security/advisories/cve-2026-4430 for official vendor guidance.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28327
GHSA-cwgp-8p97-cf77