Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L and UI:R because exploitation requires opening a local file; no privileges needed; crash dominates with A:H and limited memory read gives C:L.
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Primary rating from Vendor (Document Fdn.).
CVSS VectorVendor: Document Fdn.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.
AnalysisAI
Heap use-after-free in LibreOffice's ODF number format parser allows memory corruption when a user opens a crafted document containing a malformed number format string. The flaw arises because a position value embedded in the document is consumed without validation against the actual length of the format-code string, causing the parser to reference stale or out-of-bounds heap memory. Publicly available exploit code exists (CVSS 4.0 E:P), and while no active exploitation is confirmed via CISA KEV, the low attack complexity and document-phishing delivery model make this a realistic targeted threat.
Technical ContextAI
LibreOffice's ODF import subsystem processes number format codes - including blank-width character specifications - by reading a position value directly from the document stream. The root cause (CWE-416: Use After Free) is the absence of a bounds check: when the position read from the malformed document exceeds the actual length of the format-code string, subsequent parsing operates against heap memory that is outside the string buffer, potentially already freed. The fix introduces a bounds check on the position value before it is dereferenced. Affected product scope is identified by CPE cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*, indicating all platform variants (Linux, macOS, Windows) of LibreOffice published by The Document Foundation are in scope until the patched release.
RemediationAI
Update LibreOffice to the fixed release in which the position value is bounds-checked before use in the ODF number format import routine; confirm the exact fixed version via the vendor advisory at https://www.libreoffice.org/about-us/security/advisories/cve-2026-6040 as the precise version number is not specified in available intelligence. Where immediate patching is not possible, restrict end users from opening ODF documents received from untrusted external sources - this is the most effective compensating control since exploitation requires the user to open a crafted file (trade-off: may block legitimate document workflows). Organizations processing external ODF files at scale should consider running LibreOffice in a sandboxed or containerized environment (e.g., LibreOffice Online in an isolated container) to bound the blast radius of a successful heap exploit; this adds operational complexity but limits lateral movement and host-level impact. Disabling macro execution or adjusting security settings will not mitigate this flaw, as it is triggered by the document parser itself, not macro content.
More in Libreoffice
View allLibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitra
Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load p
LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a deni
LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist
Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically p
Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified
Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denia
LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possib
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x
LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::Imp
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36735
GHSA-pp4w-c8m6-4xvf