Description
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreOffice can import Office XML documents and, during the import of a text box element, the parser sometimes assumes a handler object is larger than it actually is. This causes a write past the end of the allocated buffer, corrupting heap memory. The overflow can potentially lead to unauthorized code execution, data disclosure or program crash. The weakness is classified as CWE-787 (Out-of-Bounds Write) and CWE-843 (Type Confusion). The vulnerability is limited to the import path and appears only when documents containing text boxes are processed.

Affected Systems

The affected product is LibreOffice from The Document Foundation. No specific version numbers are listed in the advisory; the vulnerability has been fixed in later releases but the accurate scope is unclear from the data provided.

Risk and Exploitability

The CVSS base score is 5.4, indicating moderate severity, and the EPSS score is below 1%, suggesting low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires crafting a malicious OOXML file and presenting it to a user running LibreOffice; it is likely an application‑level attack with a local or user‑initiated vector. Because the vulnerability is tied to document import, an attacker would need to convince a user to open the malicious file or exploit a system that processes files without user interaction.

Generated by OpenCVE AI on June 18, 2026 at 01:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LibreOffice to the latest release that includes the fix for the text box import overflow.
  • If an upgrade is not immediately possible, restrict the use of the OOXML import feature or isolate the environment that processes Office files, such as a dedicated conversion server with restricted privileges.
  • Disable the import of documents from untrusted sources and conduct a security audit to identify any legacy LibreOffice installations that may be susceptible.
  • Implement input validation controls on the application that receives Office files to detect and reject malformed documents before they reach LibreOffice.

Generated by OpenCVE AI on June 18, 2026 at 01:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared The Document Foundation
The Document Foundation libreoffice
Vendors & Products The Document Foundation
The Document Foundation libreoffice

Tue, 16 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
Title Heap buffer overflow in OOXML text box element import
Weaknesses CWE-787
CWE-843
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

The Document Foundation Libreoffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Document Fdn.

Published:

Updated: 2026-06-15T18:11:48.806Z

Reserved: 2026-04-09T19:21:23.491Z

Link: CVE-2026-6047

cve-icon Vulnrichment

Updated: 2026-06-15T18:11:37.211Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:37.127

Modified: 2026-06-15T20:55:48.070

Link: CVE-2026-6047

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T16:22:37Z

Links: CVE-2026-6047 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:30:15Z

Weaknesses
  • CWE-787

    Out-of-bounds Write

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')