CVE-2026-4430
Out-of-Bounds Write in LibreOffice via OOXML Encryption Mismatch
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: Document Foundation, The
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_document_foundation | libreoffice | From 26.2 (inc) to 26.2.3 (exc) |
| the_document_foundation | libreoffice | From 25.8 (inc) to 25.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4430 is a heap buffer overflow vulnerability in LibreOffice that occurs when processing specially crafted OOXML documents containing mismatched encryption salt parameters. This causes an out-of-bounds write in the software.
The vulnerability affects LibreOffice versions 26.2 before 26.2.3 and 25.8 before 25.8.7.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption due to an out-of-bounds write, which may be exploited to cause a crash or potentially execute arbitrary code when opening a crafted OOXML document in affected LibreOffice versions.
Users running vulnerable versions of LibreOffice are at risk if they open maliciously crafted documents.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade LibreOffice to version 26.2.3 or 25.8.7 or later.
This update fixes the out-of-bounds write vulnerability caused by processing crafted OOXML documents with mismatched encryption salt parameters.