CVE-2026-6047
Deferred Deferred - Pending Action

Heap Buffer Overflow in LibreOffice OOXML Parser

Vulnerability report for CVE-2026-6047, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Document Foundation, The

Description

LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
the_document_foundation libreoffice *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update LibreOffice to a fixed version where the type is checked before the write operation during OOXML document import.

Avoid opening untrusted DOCX documents in affected versions of LibreOffice until the update is applied.

Executive Summary

This vulnerability exists in LibreOffice when importing documents in the OOXML format (DOCX). It is a heap buffer overflow that occurs during the replay of deferred parser events for a text box element. Specifically, a handler object was assumed to be of a certain type and written to according to that type's field layout. However, the object could actually be smaller, causing the write operation to go past the end of the allocated memory.

In fixed versions of LibreOffice, the type of the handler object is checked before the write operation to prevent this overflow.

Impact Analysis

This heap buffer overflow vulnerability can potentially lead to memory corruption when processing specially crafted DOCX files. Such memory corruption could be exploited by an attacker to cause a crash or execute arbitrary code with the privileges of the user running LibreOffice.

Because the vulnerability requires user interaction (opening a malicious document) and local access (AV:L), the risk is moderate, but it could still lead to significant security issues such as data compromise or system instability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart