Description
LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreOffice Calc allows users to import spreadsheet documents that include tracked changes. When a spreadsheet reuses the same change identifier for two distinct kinds of change, the import routine treats one change object as a larger type and writes past the end of the allocated memory region, causing a heap buffer overflow. The overflow is an out‑of‑bounds write, identified as CWE‑787, coupled with an improper type conversion (CWE‑843). The memory corruption could compromise the stability of the application and, in the worst case, allow an attacker to influence program execution or cause a denial of service. Exploit requires a malicious spreadsheet file with duplicate change identifiers and local user interaction to import the file into Calc. The CVSS score of 5.4 reflects a moderate severity, and the EPSS score of less than 1% indicates a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog.

Affected Systems

LibreOffice Calc, all versions released before the duplicate‑identifier validation was added. Precise version numbers are not supplied, but any release that processes tracked‑changes imports without validation is affected.

Risk and Exploitability

The CVSS score of 5.4 shows moderate risk, and the EPSS score of <1% demonstrates that attack activity is unlikely today. Because exploitation requires a crafted spreadsheet and local user action, the opportunity for remote or automated attacks is limited. The vulnerability is not in CISA KEV, further indicating the overall risk remains low.

Generated by OpenCVE AI on June 18, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreOffice to a version that rejects duplicate change identifiers during tracked‑changes import.
  • If an upgrade cannot be performed, avoid importing spreadsheets that contain tracked changes or use a pre‑processing tool to remove duplicate IDs.
  • Disable the tracked‑changes import feature in Calc when the functionality is not needed.

Generated by OpenCVE AI on June 18, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4633-1 libreoffice security update
Debian DSA Debian DSA DSA-6346-1 libreoffice security update
History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

threat_severity

Moderate


Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared The Document Foundation
The Document Foundation libreoffice
Vendors & Products The Document Foundation
The Document Foundation libreoffice

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected.
Title Heap buffer overflow in spreadsheet tracked-changes import
Weaknesses CWE-787
CWE-843
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

The Document Foundation Libreoffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Document Fdn.

Published:

Updated: 2026-06-16T19:27:16.142Z

Reserved: 2026-05-11T19:01:49.347Z

Link: CVE-2026-8358

cve-icon Vulnrichment

Updated: 2026-06-15T18:01:45.460Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:37.630

Modified: 2026-06-15T20:55:48.070

Link: CVE-2026-8358

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T16:24:03Z

Links: CVE-2026-8358 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:45:05Z

Weaknesses
  • CWE-787

    Out-of-bounds Write

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')