Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local file-open delivery (AV:L), no privileges needed (PR:N), user must open file (UI:R); heap overflow yields high availability impact with limited confidentiality and integrity exposure.
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from Vendor (Document Fdn.).
CVSS VectorVendor: Document Fdn.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
AnalysisAI
Heap buffer overflow in LibreOffice's DXF import engine allows a crafted CAD file to corrupt process memory when a polyline with more than 65,535 points is parsed. The root cause is an integer truncation defect: the point count read from the DXF file is narrowed to a 16-bit value when sizing the heap allocation, but the original, un-truncated count drives the subsequent write loop - any polyline exceeding 65,535 points overflows the undersized buffer. A proof-of-concept exists (CVSS 4.0 E:P), exploitation requires passive user interaction (opening a malicious DXF file), and no active exploitation has been confirmed in CISA KEV at time of analysis.
Technical ContextAI
DXF (Drawing Exchange Format) is Autodesk's interoperability format for CAD data; LibreOffice (The Document Foundation, CPE cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*) parses it within its drawing subsystem to import vector graphics and polyline geometry. The defect is a classic integer width mismatch classified as CWE-787 (Out-of-bounds Write): the DXF parser reads a point-count field that can exceed 65,535 from the file, but casts or assigns it to a 16-bit unsigned integer before computing the heap buffer size. The allocation is therefore capped at at most 65,535-point capacity while the fill loop iterates over the full, uncapped count, writing polyline coordinates past the end of the heap allocation. This class of bug - allocate-with-narrow-type, fill-with-wide-type - is a well-understood source of heap corruption that can lead to denial of service (process crash) or, with attacker-controlled memory layout, to arbitrary code execution.
RemediationAI
The primary fix is to upgrade LibreOffice to a version confirmed as patched by The Document Foundation; the vendor advisory at https://www.libreoffice.org/about-us/security/advisories/cve-2026-6039 should be consulted for the exact fixed release number, as no specific version is cited in the available intelligence data. In fixed versions, oversized DXF polylines (point count exceeding 16-bit range) are rejected at parse time rather than processed. Until patching is possible, the most effective compensating control is to prohibit opening DXF files from untrusted external sources - this can be enforced via email gateway policies that strip or quarantine .dxf attachments, and by educating users not to open DXF files received from unknown parties. Disabling LibreOffice's DXF import filter entirely is technically possible by restricting the filter list in the LibreOffice configuration, but this breaks legitimate CAD workflow and should be weighed accordingly. There is no network-level mitigation applicable given the local file-open delivery vector.
More in Libreoffice
View allLibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitra
Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load p
LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a deni
LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist
Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically p
Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified
Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denia
LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possib
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x
LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::Imp
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36734
GHSA-5jvm-83q6-h5jj