Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local file open triggers the flaw (AV:L); no privileges needed (PR:N); user must open document (UI:R); heap OOB write yields high availability loss and limited C/I impact.
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Primary rating from Vendor (Document Fdn.).
CVSS VectorVendor: Document Fdn.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
AnalysisAI
Heap buffer overflow in LibreOffice's OOXML (DOCX) import component allows a specially crafted document to corrupt memory when processing text box elements, with high availability impact and limited confidentiality and integrity exposure. The flaw stems from a type confusion during deferred parser event replay: a handler object assumed to be a larger type is written to at that type's field layout, but the actual object may be smaller, causing the write to land past the end of the heap allocation. A proof-of-concept exploit exists (CVSS 4.0 E:P); no confirmed active exploitation is recorded in CISA KEV at time of analysis.
Technical ContextAI
LibreOffice's OOXML import pipeline uses a deferred event model to handle complex document structures - events are queued and replayed later during parsing. The vulnerability (CWE-787: Out-of-bounds Write) occurs specifically when replaying deferred events for text box elements: the code casts a handler object to an assumed type and writes to fields at that type's memory layout offsets, but the actual runtime object may be a smaller subtype, so the write overshoots the allocation boundary on the heap. This is a classic object type confusion leading to OOB write. The affected product is identified via CPE cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*, with no version boundary pinned in the NVD CPE, implying a broad but unspecified range. The fix adds a type check before the write, confirming the root cause is missing runtime type validation rather than an arithmetic error.
RemediationAI
The primary remediation is to upgrade to the patched LibreOffice version released by The Document Foundation, which introduces a type check before the handler object write in the OOXML deferred event replay path. The exact fixed version number was not independently confirmed from available data - consult the vendor advisory at https://www.libreoffice.org/about-us/security/advisories/cve-2026-6047 for the precise upgrade target. If immediate patching is not feasible, a targeted workaround is to disable or restrict macro-enabled and complex OOXML document processing: configure LibreOffice to warn before opening OOXML files from untrusted sources, or block DOCX attachments at the mail gateway for high-risk user populations. This limits exposure but does not eliminate risk for users who need to open DOCX files. Sandboxing LibreOffice processes (e.g., via AppArmor or Firejail on Linux) can reduce the blast radius of a successful heap corruption to the sandboxed process rather than the host system.
More in Libreoffice
View allLibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitra
Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load p
LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a deni
LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist
Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically p
Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified
Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denia
LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possib
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x
LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::Imp
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36737
GHSA-wq72-h3fh-w757