CVE-2026-6039

Vulnerability

A heap buffer overflow exists in LibreOffice's DXF import filter when processing a polyline. The point count taken from the file is truncated to a 16-bit value when sizing the point buffer, but the full count is used to fill it, causing writes past the end of the allocated buffer. This affects LibreOffice versions from 26.2 before 26.2.3 and from 25.8 before 25.8.7. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a DXF file containing a polyline with a point count exceeding the 16-bit range (i.e., 65536 or more). The victim must open the malicious file in LibreOffice. No authentication or special network position is required; the exploit relies on user interaction to open the file.

Impact

Successful exploitation results in a heap buffer overflow, which may lead to arbitrary code execution or application crash. The attacker can write out-of-bounds memory, potentially achieving remote code execution with the privileges of the user opening the file.

Mitigation

LibreOffice has addressed this vulnerability in versions 26.2.3 and 25.8.7, released on May 6, 2026. [1] Users should upgrade to these fixed versions or later. No workaround is available; oversized polylines are now rejected by the import filter.