Skip to main content

LibreOffice CVE-2026-6040

| EUVDEUVD-2026-36735 MEDIUM
Use After Free (CWE-416)
2026-06-15 Document Fdn. GHSA-pp4w-c8m6-4xvf
5.4
CVSS 4.0 · Vendor: Document Fdn.
Share

Severity by source

Vendor (Document Fdn.) PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.6 MEDIUM

AV:L and UI:R because exploitation requires opening a local file; no privileges needed; crash dominates with A:H and limited memory read gives C:L.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
6.6 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (Document Fdn.).

CVSS VectorVendor: Document Fdn.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 15, 2026 - 19:01 EUVD
Analysis Generated
Jun 15, 2026 - 18:28 vuln.today
CVE Published
Jun 15, 2026 - 16:21 cve.org
MEDIUM 5.4

DescriptionCVE.org

A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.

AnalysisAI

Heap use-after-free in LibreOffice's ODF number format parser allows memory corruption when a user opens a crafted document containing a malformed number format string. The flaw arises because a position value embedded in the document is consumed without validation against the actual length of the format-code string, causing the parser to reference stale or out-of-bounds heap memory. Publicly available exploit code exists (CVSS 4.0 E:P), and while no active exploitation is confirmed via CISA KEV, the low attack complexity and document-phishing delivery model make this a realistic targeted threat.

Technical ContextAI

LibreOffice's ODF import subsystem processes number format codes - including blank-width character specifications - by reading a position value directly from the document stream. The root cause (CWE-416: Use After Free) is the absence of a bounds check: when the position read from the malformed document exceeds the actual length of the format-code string, subsequent parsing operates against heap memory that is outside the string buffer, potentially already freed. The fix introduces a bounds check on the position value before it is dereferenced. Affected product scope is identified by CPE cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*, indicating all platform variants (Linux, macOS, Windows) of LibreOffice published by The Document Foundation are in scope until the patched release.

RemediationAI

Update LibreOffice to the fixed release in which the position value is bounds-checked before use in the ODF number format import routine; confirm the exact fixed version via the vendor advisory at https://www.libreoffice.org/about-us/security/advisories/cve-2026-6040 as the precise version number is not specified in available intelligence. Where immediate patching is not possible, restrict end users from opening ODF documents received from untrusted external sources - this is the most effective compensating control since exploitation requires the user to open a crafted file (trade-off: may block legitimate document workflows). Organizations processing external ODF files at scale should consider running LibreOffice in a sandboxed or containerized environment (e.g., LibreOffice Online in an isolated container) to bound the blast radius of a successful heap exploit; this adds operational complexity but limits lateral movement and host-level impact. Disabling macro execution or adjusting security settings will not mitigate this flaw, as it is triggered by the document parser itself, not macro content.

CVE-2019-9851 CRITICAL POC
9.8 Aug 15

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitra

CVE-2015-5212 MEDIUM
6.8 Nov 10

Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load p

CVE-2015-5214 MEDIUM
6.8 Nov 10

LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a deni

CVE-2018-6871 CRITICAL POC
9.8 Feb 09

LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a

CVE-2021-25631 HIGH POC
8.8 May 03

In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist

CVE-2012-2334 MEDIUM POC
6.8 Jun 19

Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and

CVE-2018-10583 HIGH POC
7.5 May 01

An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically p

CVE-2014-3524 CRITICAL
9.3 Aug 26

Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified

CVE-2015-5213 MEDIUM
6.8 Nov 10

Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denia

CVE-2014-0247 CRITICAL
10.0 Jul 03

LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possib

CVE-2012-0037 MEDIUM POC
6.5 Jun 17

Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x

CVE-2017-7856 CRITICAL
9.8 Apr 14

LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::Imp

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise Workstation Extension 15 SP7 Affected

Share

CVE-2026-6040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy