Description
LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreOffice can import EMF+ graphics, and a heap buffer overflow exists when an EMF+ gradient brush is processed. The library reads the gradient blend point count from the file, multiplies it to compute an allocation size, and the multiplication can overflow. As a result a small buffer is allocated and later written to as if it were larger, corrupting adjacent memory. The weakness is an integer overflow (CWE-190) and an out‑of‑bounds write (CWE-787).

Affected Systems

This vulnerability affects LibreOffice from The Document Foundation. The advisory does not list specific release numbers, but indicates that the fix has been applied in more recent versions of the suite.

Risk and Exploitability

The flaw is assigned a CVSS score of 5.4 and an EPSS score of less than 1 %, indicating moderate technical severity but a very low exploitation probability at the time of assessment. It is not included in CISA’s KEV catalog. Exploitation would require a user to open a malicious document containing a vulnerable EMF+ gradient brush; the attack vector is file‑based and hinges on user interaction. The buffer overrun could lead to memory corruption and potentially compromise the stability or integrity of the application, though no evidence of direct code execution is provided by the description.

Generated by OpenCVE AI on June 18, 2026 at 01:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreOffice to the latest version that contains the fix for the EMF+ gradient brush import flaw
  • If an upgrade cannot be performed immediately, disable the import of EMF+ graphics or use a viewer that does not support the format
  • Treat documents that contain EMF+ graphics from untrusted or unknown sources with caution, scanning them or opening them in a sandboxed environment

Generated by OpenCVE AI on June 18, 2026 at 01:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4633-1 libreoffice security update
Debian DSA Debian DSA DSA-6346-1 libreoffice security update
History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

threat_severity

Moderate


Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared The Document Foundation
The Document Foundation libreoffice
Vendors & Products The Document Foundation
The Document Foundation libreoffice

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating.
Title Heap buffer overflow in EMF+ gradient brush import
Weaknesses CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

The Document Foundation Libreoffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Document Fdn.

Published:

Updated: 2026-06-15T18:13:24.274Z

Reserved: 2026-04-09T19:07:34.963Z

Link: CVE-2026-6045

cve-icon Vulnrichment

Updated: 2026-06-15T18:12:52.505Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:37.007

Modified: 2026-06-15T20:55:48.070

Link: CVE-2026-6045

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T16:22:16Z

Links: CVE-2026-6045 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:30:15Z

Weaknesses