CVE-2025-2866 — Improper Verification of Cryptographic Signature in Document Foundation Libreoffice

CWE-347 — Improper Verification of Cryptographic Signature7 documents7 sources

Severity

2.4LOWNVD

EPSS

0.1%

top 74.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Document Foundation Libreoffice Libreoffice

Timeline

PublishedApr 27

Latest updateMay 8

Description

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages3 packages

▶NVDlibreoffice/libreoffice24.8.0.1 — 24.8.6.0+3

▶CVEListV5the_document_foundation/libreoffice24.8 — < 24.8.6+1

▶Debianlibreoffice/libreoffice< 1:7.0.4-4+deb11u13+3

🔴Vulnerability Details

OSV

CVE-2025-2866: Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation↗2025-04-27

▶

CVEList

PDF signature forgery with adbe.pkcs7.sha1 SubFilter↗2025-04-27

▶

GHSA

GHSA-22mj-r7hq-f9h2: Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation↗2025-04-27

▶

📋Vendor Advisories

Ubuntu

LibreOffice vulnerability↗2025-05-08

▶

Red Hat

LibreOffice: PDF signature forgery with adbe.pkcs7.sha1 SubFilter↗2025-04-27

▶

Debian

CVE-2025-2866: libreoffice - Improper Verification of Cryptographic Signature vulnerability in LibreOffice al...↗2025

▶