Description
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreOffice imports DXF drawings. During polyline import, an internal heap buffer is sized based on a truncated 16‑bit point count while the full 32‑bit count is used to copy data, resulting in a heap buffer overflow. This overflow can corrupt memory and, depending on the environment, may lead to denial of service or arbitrary code execution. The weakness involves numeric truncation (CWE‑190), integer manipulation (CWE‑197) and out‑of‑bounds memory access (CWE‑787).

Affected Systems

The affected product is LibreOffice from The Document Foundation. Any release that has not yet implemented the filter that rejects oversized polylines remains vulnerable. The fixed versions reject such polylines, so updating to the latest LibreOffice release removes the problem.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score of less than 1 % shows a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the file import feature; a malicious user could supply a crafted DXF file with an oversized polyline. No formal workaround is provided, so mitigation relies on applying the vendor‑issued patch and restricting DXF import from untrusted sources.

Generated by OpenCVE AI on June 17, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LibreOffice to the latest release that includes the CVE‑2026‑6039 fix.
  • If an update cannot be applied immediately, configure LibreOffice to run the DXF import feature in a sandboxed or restricted environment and quarantine or reject polylines with excessive point counts.
  • If the DXF import is not required for your workflow, disable the feature entirely to eliminate the attack surface.

Generated by OpenCVE AI on June 17, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4633-1 libreoffice security update
Debian DSA Debian DSA DSA-6346-1 libreoffice security update
History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared The Document Foundation
The Document Foundation libreoffice
Vendors & Products The Document Foundation
The Document Foundation libreoffice

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
Title Heap buffer overflow in DXF polyline import
Weaknesses CWE-197
CWE-787
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

The Document Foundation Libreoffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Document Fdn.

Published:

Updated: 2026-06-15T18:17:13.933Z

Reserved: 2026-04-09T16:29:22.953Z

Link: CVE-2026-6039

cve-icon Vulnrichment

Updated: 2026-06-15T18:16:08.981Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:36.740

Modified: 2026-06-15T20:55:48.070

Link: CVE-2026-6039

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T16:21:16Z

Links: CVE-2026-6039 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T19:30:11Z

Weaknesses