CVE-2026-6047
Deferred Deferred - Pending Action
Heap Buffer Overflow in LibreOffice OOXML Parser

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Document Foundation, The

Description
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-6047
EUVD
EUVD-2026-36737
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
the_document_foundation libreoffice *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in LibreOffice when importing documents in the OOXML format (DOCX). It is a heap buffer overflow that occurs during the replay of deferred parser events for a text box element. Specifically, a handler object was assumed to be of a certain type and written to according to that type's field layout. However, the object could actually be smaller, causing the write operation to go past the end of the allocated memory.

In fixed versions of LibreOffice, the type of the handler object is checked before the write operation to prevent this overflow.

Impact Analysis

This heap buffer overflow vulnerability can potentially lead to memory corruption when processing specially crafted DOCX files. Such memory corruption could be exploited by an attacker to cause a crash or execute arbitrary code with the privileges of the user running LibreOffice.

Because the vulnerability requires user interaction (opening a malicious document) and local access (AV:L), the risk is moderate, but it could still lead to significant security issues such as data compromise or system instability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart