Description
LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreOffice Calc’s import of spreadsheet tracked changes can trigger a heap buffer overflow when a document reuses a change identifier for two different change types. The importer misinterprets one change object as a larger type and writes beyond its allocation, corrupting memory. According to the CWE identifiers, this is a classic out‑of‑bounds write (CWE‑787) coupled with an improper type conversion (CWE‑843). The resulting memory corruption could potentially allow an attacker to hijack execution flow or crash the application, creating a local vulnerability for privilege escalation or denial of service.

Affected Systems

LibreOffice, specifically its Calc component, on all releases that allow tracked‑changes import before the enforcement of duplicate‑identifier rejection. Exact version numbers are not supplied, but any version that processes tracked changes without validation is susceptible.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a malicious spreadsheet file containing duplicate change identifiers and local interaction by a user who imports the file into Calc. Consequently, the risk is moderate but unlikely to be actively exploited in the wild.

Generated by OpenCVE AI on June 16, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreOffice to a patched release that rejects duplicate change identifiers.
  • If upgrading is not possible, avoid importing spreadsheets that contain tracked changes or use a pre‑processing tool to eliminate duplicate IDs.
  • Disable the tracked changes import feature in Calc settings when the functionality is not required.
  • Stay informed about future LibreOffice security releases and apply them promptly.

Generated by OpenCVE AI on June 16, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6346-1 libreoffice security update
History

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared The Document Foundation
The Document Foundation libreoffice
Vendors & Products The Document Foundation
The Document Foundation libreoffice

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected.
Title Heap buffer overflow in spreadsheet tracked-changes import
Weaknesses CWE-787
CWE-843
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

The Document Foundation Libreoffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Document Fdn.

Published:

Updated: 2026-06-16T19:27:16.142Z

Reserved: 2026-05-11T19:01:49.347Z

Link: CVE-2026-8358

cve-icon Vulnrichment

Updated: 2026-06-15T18:01:45.460Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:37.630

Modified: 2026-06-15T20:55:48.070

Link: CVE-2026-8358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-787

    Out-of-bounds Write

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')