Description
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap use‑after‑free that occurs when LibreOffice parses the blank‑width characters of an ODF number format. A position value extracted from the document is used without checking it against the length of the corresponding format‑code string, allowing a specially crafted number format to read data from memory beyond the allocated buffer. This flaw falls under CWE‑416, CWE‑787, and CWE‑825 and can lead to corruption of application memory or a crash, but the CVE description does not explicitly confirm remote code execution or higher‑level exploitation.

Affected Systems

LibreOffice builds from The Document Foundation that were released before the fix that added bounds‑checking for the position value remain vulnerable. No specific version numbers are listed, so every installation of LibreOffice older than the patched release is potentially affected.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity assessment. The EPSS score is below 1 %, suggesting a very low likelihood of exploitation on its own time. The issue is not present in the CISA KEV catalog. The most likely attack vector involves a malicious actor creating a malformed ODF document containing an improper number format; when a user opens the file, the parsing routine can access memory outside the intended bounds. No public exploit has been disclosed, but the combination of a use‑after‑free and out‑of‑bounds read warrants precautionary measures.

Generated by OpenCVE AI on June 18, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreOffice to the latest release that implements the bounds‑checking fix.
  • If an upgrade cannot be performed immediately, process untrusted ODF files only in a sandboxed or isolated environment with restricted network and filesystem access.
  • Avoid opening ODF documents from untrusted or unknown sources wherever possible.

Generated by OpenCVE AI on June 18, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6346-1 libreoffice security update
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important


Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared The Document Foundation
The Document Foundation libreoffice
Vendors & Products The Document Foundation
The Document Foundation libreoffice

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.
Title Heap use-after-free in ODF number-format blank-width parsing
Weaknesses CWE-416
CWE-787
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

The Document Foundation Libreoffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Document Fdn.

Published:

Updated: 2026-06-30T12:11:11.361Z

Reserved: 2026-04-09T16:42:11.799Z

Link: CVE-2026-6040

cve-icon Vulnrichment

Updated: 2026-06-30T03:20:41.783Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:36.880

Modified: 2026-06-15T20:55:48.070

Link: CVE-2026-6040

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-15T16:21:53Z

Links: CVE-2026-6040 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses