CVE-2026-6040

Vulnerability

A heap use-after-free vulnerability exists when LibreOffice imports the blank-width characters of an ODF number format. The position value read from the document is not checked against the length of the format-code string, so a malformed number format can be processed against memory outside that string. This affects LibreOffice versions from 26.2 before 26.2.3 and from 25.8 before 25.8.7 [1].

Exploitation

An attacker can exploit this by crafting a malicious ODF document containing a specially crafted number format with blank-width characters. The user must open the document in an affected version of LibreOffice. The unchecked position read from the document triggers a use-after-free on a heap buffer, potentially allowing the attacker to control the out-of-bounds memory access. No authentication or special network position is required beyond delivering the document to the user.

Impact

A successful exploit results in reading or writing memory beyond the bounds of the format-code string, which may lead to arbitrary memory disclosure, a crash (denial of service), or potentially code execution under the privileges of the user opening the document. The confidentiality and integrity of the affected system could be compromised.

Mitigation

The vulnerability is addressed in LibreOffice 26.2.3 and LibreOffice 25.8.7 [1]. Users should upgrade to these or later versions. If upgrade is not immediately possible, avoid opening untrusted ODF documents. No workarounds beyond upgrading are documented. The CVE is not listed on CISA KEV.