Skip to main content

LibreOffice CVE-2026-6047

| EUVDEUVD-2026-36737 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-15 Document Fdn. GHSA-wq72-h3fh-w757
5.4
CVSS 4.0 · Vendor: Document Fdn.
Share

Severity by source

Vendor (Document Fdn.) PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.6 MEDIUM

Local file open triggers the flaw (AV:L); no privileges needed (PR:N); user must open document (UI:R); heap OOB write yields high availability loss and limited C/I impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Red Hat
5.0 MEDIUM
qualitative

Primary rating from Vendor (Document Fdn.).

CVSS VectorVendor: Document Fdn.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 15, 2026 - 19:01 EUVD
Analysis Generated
Jun 15, 2026 - 18:26 vuln.today
CVE Published
Jun 15, 2026 - 16:22 cve.org
MEDIUM 5.4

DescriptionCVE.org

LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.

AnalysisAI

Heap buffer overflow in LibreOffice's OOXML (DOCX) import component allows a specially crafted document to corrupt memory when processing text box elements, with high availability impact and limited confidentiality and integrity exposure. The flaw stems from a type confusion during deferred parser event replay: a handler object assumed to be a larger type is written to at that type's field layout, but the actual object may be smaller, causing the write to land past the end of the heap allocation. A proof-of-concept exploit exists (CVSS 4.0 E:P); no confirmed active exploitation is recorded in CISA KEV at time of analysis.

Technical ContextAI

LibreOffice's OOXML import pipeline uses a deferred event model to handle complex document structures - events are queued and replayed later during parsing. The vulnerability (CWE-787: Out-of-bounds Write) occurs specifically when replaying deferred events for text box elements: the code casts a handler object to an assumed type and writes to fields at that type's memory layout offsets, but the actual runtime object may be a smaller subtype, so the write overshoots the allocation boundary on the heap. This is a classic object type confusion leading to OOB write. The affected product is identified via CPE cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*, with no version boundary pinned in the NVD CPE, implying a broad but unspecified range. The fix adds a type check before the write, confirming the root cause is missing runtime type validation rather than an arithmetic error.

RemediationAI

The primary remediation is to upgrade to the patched LibreOffice version released by The Document Foundation, which introduces a type check before the handler object write in the OOXML deferred event replay path. The exact fixed version number was not independently confirmed from available data - consult the vendor advisory at https://www.libreoffice.org/about-us/security/advisories/cve-2026-6047 for the precise upgrade target. If immediate patching is not feasible, a targeted workaround is to disable or restrict macro-enabled and complex OOXML document processing: configure LibreOffice to warn before opening OOXML files from untrusted sources, or block DOCX attachments at the mail gateway for high-risk user populations. This limits exposure but does not eliminate risk for users who need to open DOCX files. Sandboxing LibreOffice processes (e.g., via AppArmor or Firejail on Linux) can reduce the blast radius of a successful heap corruption to the sandboxed process rather than the host system.

CVE-2019-9851 CRITICAL POC
9.8 Aug 15

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitra

CVE-2015-5212 MEDIUM
6.8 Nov 10

Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load p

CVE-2015-5214 MEDIUM
6.8 Nov 10

LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a deni

CVE-2018-6871 CRITICAL POC
9.8 Feb 09

LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a

CVE-2021-25631 HIGH POC
8.8 May 03

In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist

CVE-2012-2334 MEDIUM POC
6.8 Jun 19

Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and

CVE-2018-10583 HIGH POC
7.5 May 01

An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically p

CVE-2014-3524 CRITICAL
9.3 Aug 26

Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified

CVE-2015-5213 MEDIUM
6.8 Nov 10

Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denia

CVE-2014-0247 CRITICAL
10.0 Jul 03

LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possib

CVE-2012-0037 MEDIUM POC
6.5 Jun 17

Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x

CVE-2017-7856 CRITICAL
9.8 Apr 14

LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::Imp

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise Workstation Extension 15 SP7 Affected

Share

CVE-2026-6047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy