CVE-2026-6047

Summary

LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.

Affected Software

VendorProductVersion RangeStatus
The Document FoundationLibreOffice25.8 < < 25.8.7affected
The Document FoundationLibreOffice26.2 < < 26.2.3affected

Weaknesses

  • CWE-787: CWE-787 Out-of-bounds Write
  • CWE-843: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References