CVE-2026-6047
published 2026-06-15CVE-2026-6047: LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A…
PriorityP425medium5.4CVSS 4.0
AVLACLATNPRNUIPVCLVILVAHSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.12%
2.1th percentile
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| libreoffice | libreoffice | — | — |
| the_document_foundation | libreoffice | >= 25.8 < < 25.8.7 | < 25.8.7 |
| the_document_foundation | libreoffice | >= 26.2 < < 26.2.3 | < 26.2.3 |
CVSS provenance
nvdv4.05.4MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing
vendor_redhat·2026-06-15·CVSS 5.4
CVE-2026-6047 [MEDIUM] CWE-843 libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing
libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
A flaw was found in LibreOffice. This vulnerability, a heap buffer overflow, occurs when processing specially crafted OOXML (Office Open XML) documents. An attacker could create a malicious document that, when opened, causes a write beyond the intended memory boundary during the replaying of deferred parser even
VulDB
LibreOffice up to 25.8.6/26.2.2 out-of-bounds write
vuldb·2026-06-15·CVSS 5.4
CVE-2026-6047 [MEDIUM] LibreOffice up to 25.8.6/26.2.2 out-of-bounds write
A vulnerability categorized as critical has been discovered in LibreOffice up to 25.8.6/26.2.2. The impacted element is an unknown function. The manipulation results in out-of-bounds write.
This vulnerability was named CVE-2026-6047. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
GHSA
LibreOffice can import documents in the OOXML format (DOCX).
ghsa_unreviewed·2026-06-15
CVE-2026-6047 [MEDIUM] CWE-787 LibreOffice can import documents in the OOXML format (DOCX).
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-6047 libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-6047 [MEDIUM] CVE-2026-6047 libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing [fedora-all]
CVE-2026-6047 libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6047 libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing
bugzilla·2026-06-15·CVSS 5.4
CVE-2026-6047 [MEDIUM] CVE-2026-6047 libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing
CVE-2026-6047 libreoffice: LibreOffice: Denial of service via heap buffer overflow in OOXML document processing
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
2026-06-15
Published