Description
LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreOffice Calc builds an internal representation of cell formulas when a spreadsheet is opened. In some earlier releases, the array that tracks how deeply nested the formula’s parentheses become was allocated one element too small for the worst‑case scenario. If an attacker supplies a very long formula with many opening tokens, the program writes past the end of that array, causing a heap buffer overflow. The overflow can corrupt memory and, in a worst‑case scenario, enable execution of arbitrary code. The vulnerability is classified as CWE‑131 (Incorrect Size Calculation), CWE‑193 (Signed to Unsigned Conversion) and CWE‑787 (Out‑of‑Bounds Write). The publicly available CVSS score of 5.4 indicates moderate severity.

Affected Systems

The vulnerability affects LibreOffice, specifically the Calc component. Versions of LibreOffice released before the patch that corrects the array sizing are impacted. Exact version ranges are not listed, but any installation that has not been updated to the latest release is at risk.

Risk and Exploitability

The calculated EPSS score is less than 1 %, indicating a low predicted likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to deliver a malicious spreadsheet file and force the user to open it. Because the vulnerability resides in user‑initiated file handling and the impact level is moderate, overall risk is considered moderate, with exploitation less likely but still possible if the infected file is opened.

Generated by OpenCVE AI on June 18, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreOffice to the latest release that includes the fix for this overflow.
  • Avoid opening spreadsheets from untrusted or unknown sources until the update is applied.
  • Implement file‑level sandboxing or restrict macro execution to reduce the chances of unintended code execution.

Generated by OpenCVE AI on June 18, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4633-1 libreoffice security update
Debian DSA Debian DSA DSA-6346-1 libreoffice security update
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important


Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared The Document Foundation
The Document Foundation libreoffice
Vendors & Products The Document Foundation
The Document Foundation libreoffice

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.
Title Heap buffer overflow in Calc formula compilation
Weaknesses CWE-193
CWE-787
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

The Document Foundation Libreoffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Document Fdn.

Published:

Updated: 2026-07-06T12:04:49.155Z

Reserved: 2026-05-11T18:55:27.138Z

Link: CVE-2026-8357

cve-icon Vulnrichment

Updated: 2026-06-30T03:16:45.500Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:37.513

Modified: 2026-06-15T20:55:48.070

Link: CVE-2026-8357

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-15T16:23:37Z

Links: CVE-2026-8357 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses