Skip to main content

LibreOffice CVE-2026-6039

| EUVDEUVD-2026-36734 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-15 Document Fdn. GHSA-5jvm-83q6-h5jj
5.4
CVSS 4.0 · Vendor: Document Fdn.
Share

Severity by source

Vendor (Document Fdn.) PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.6 MEDIUM

Local file-open delivery (AV:L), no privileges needed (PR:N), user must open file (UI:R); heap overflow yields high availability impact with limited confidentiality and integrity exposure.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Document Fdn.).

CVSS VectorVendor: Document Fdn.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 15, 2026 - 19:01 EUVD
Analysis Generated
Jun 15, 2026 - 18:28 vuln.today
CVE Published
Jun 15, 2026 - 16:21 cve.org
MEDIUM 5.4

DescriptionCVE.org

LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.

AnalysisAI

Heap buffer overflow in LibreOffice's DXF import engine allows a crafted CAD file to corrupt process memory when a polyline with more than 65,535 points is parsed. The root cause is an integer truncation defect: the point count read from the DXF file is narrowed to a 16-bit value when sizing the heap allocation, but the original, un-truncated count drives the subsequent write loop - any polyline exceeding 65,535 points overflows the undersized buffer. A proof-of-concept exists (CVSS 4.0 E:P), exploitation requires passive user interaction (opening a malicious DXF file), and no active exploitation has been confirmed in CISA KEV at time of analysis.

Technical ContextAI

DXF (Drawing Exchange Format) is Autodesk's interoperability format for CAD data; LibreOffice (The Document Foundation, CPE cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*) parses it within its drawing subsystem to import vector graphics and polyline geometry. The defect is a classic integer width mismatch classified as CWE-787 (Out-of-bounds Write): the DXF parser reads a point-count field that can exceed 65,535 from the file, but casts or assigns it to a 16-bit unsigned integer before computing the heap buffer size. The allocation is therefore capped at at most 65,535-point capacity while the fill loop iterates over the full, uncapped count, writing polyline coordinates past the end of the heap allocation. This class of bug - allocate-with-narrow-type, fill-with-wide-type - is a well-understood source of heap corruption that can lead to denial of service (process crash) or, with attacker-controlled memory layout, to arbitrary code execution.

RemediationAI

The primary fix is to upgrade LibreOffice to a version confirmed as patched by The Document Foundation; the vendor advisory at https://www.libreoffice.org/about-us/security/advisories/cve-2026-6039 should be consulted for the exact fixed release number, as no specific version is cited in the available intelligence data. In fixed versions, oversized DXF polylines (point count exceeding 16-bit range) are rejected at parse time rather than processed. Until patching is possible, the most effective compensating control is to prohibit opening DXF files from untrusted external sources - this can be enforced via email gateway policies that strip or quarantine .dxf attachments, and by educating users not to open DXF files received from unknown parties. Disabling LibreOffice's DXF import filter entirely is technically possible by restricting the filter list in the LibreOffice configuration, but this breaks legitimate CAD workflow and should be weighed accordingly. There is no network-level mitigation applicable given the local file-open delivery vector.

CVE-2019-9851 CRITICAL POC
9.8 Aug 15

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitra

CVE-2015-5212 MEDIUM
6.8 Nov 10

Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load p

CVE-2015-5214 MEDIUM
6.8 Nov 10

LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a deni

CVE-2018-6871 CRITICAL POC
9.8 Feb 09

LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a

CVE-2021-25631 HIGH POC
8.8 May 03

In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist

CVE-2012-2334 MEDIUM POC
6.8 Jun 19

Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and

CVE-2018-10583 HIGH POC
7.5 May 01

An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically p

CVE-2014-3524 CRITICAL
9.3 Aug 26

Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified

CVE-2015-5213 MEDIUM
6.8 Nov 10

Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denia

CVE-2014-0247 CRITICAL
10.0 Jul 03

LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possib

CVE-2012-0037 MEDIUM POC
6.5 Jun 17

Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x

CVE-2017-7856 CRITICAL
9.8 Apr 14

LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::Imp

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise Workstation Extension 15 SP7 Affected

Share

CVE-2026-6039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy