CVE-2026-6039
published 2026-06-15CVE-2026-6039: LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken…
PriorityP424medium5.4CVSS 4.0
AVLACLATNPRNUIPVCLVILVAHSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.16%
5.2th percentile
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| libreoffice | libreoffice | — | — |
| the_document_foundation | libreoffice | >= 25.8 < < 25.8.7 | < 25.8.7 |
| the_document_foundation | libreoffice | >= 26.2 < < 26.2.3 | < 26.2.3 |
CVSS provenance
nvdv4.05.4MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import
vendor_redhat·2026-06-15·CVSS 5.4
CVE-2026-6039 [MEDIUM] CWE-190 libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import
libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
A flaw was found in LibreOffice. This vulnerability, a heap buffer overflow, occurs when processing specially crafted DXF (Drawing Exchange Format) polyline files. An attacker could exploit this by convincing a user to open a malicious DXF file, which may lead to a denial of serv
Red Hat
kernel: bonding: annotate data-races around slave->last_rx
vendor_redhat·2026-02-18·CVSS 4.7
CVE-2026-23212 [MEDIUM] CWE-367 kernel: bonding: annotate data-races around slave->last_rx
kernel: bonding: annotate data-races around slave->last_rx
In the Linux kernel, the following vulnerability has been resolved:
bonding: annotate data-races around slave->last_rx
slave->last_rx and slave->target_last_arp_rx[...] can be read and written
locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
syzbot reported:
BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
__netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
__netif_receive_skb_one_core net/core/dev.c:6150 [inline]
__netif_receive_skb+0x59/0x270 net/core/dev.c:6265
netif_receive_skb_internal net/core/dev.c:6351
GHSA
LibreOffice can import drawings in the DXF format used by CAD software.
ghsa_unreviewed·2026-06-15
CVE-2026-6039 [MEDIUM] CWE-197 LibreOffice can import drawings in the DXF format used by CAD software.
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
VulDB
LibreOffice up to 25.8.6/26.2.2 out-of-bounds write
vuldb·2026-06-15·CVSS 5.4
CVE-2026-6039 [MEDIUM] LibreOffice up to 25.8.6/26.2.2 out-of-bounds write
A vulnerability was found in LibreOffice up to 25.8.6/26.2.2. It has been classified as critical. This issue affects some unknown processing. Performing a manipulation results in out-of-bounds write.
This vulnerability is known as CVE-2026-6039. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-6039 libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-6039 [MEDIUM] CVE-2026-6039 libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import [fedora-all]
CVE-2026-6039 libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6039 libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import
bugzilla·2026-06-15·CVSS 5.4
CVE-2026-6039 [MEDIUM] CVE-2026-6039 libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import
CVE-2026-6039 libreoffice: LibreOffice: Denial of Service via specially crafted DXF polyline import
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
2026-06-15
Published