CVE-2026-6047

Vulnerability

A heap buffer overflow exists in LibreOffice's import of OOXML (DOCX) documents when replaying deferred parser events for a text box element. A handler object is assumed to be of a specific type and written to at that type's field layout, but it can actually be a smaller object, causing the write to land past the end of the allocation. This affects LibreOffice versions before 26.2.3 and before 25.8.7 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious DOCX file with a specially constructed text box element that triggers the heap overflow. The victim must open the file in an affected version of LibreOffice. No special privileges or network access are required; the attack vector is remote via email, web download, or other file-sharing methods.

Impact

Successful exploitation results in an out-of-bounds write that can corrupt heap memory. This can lead to arbitrary code execution with the privileges of the user opening the document, or cause a denial of service via application crash [1].

Mitigation

The vulnerability is addressed in LibreOffice versions 26.2.3 and 25.8.7, released on May 6, 2026 [1]. Users should upgrade to these or later versions. No workarounds are available for earlier versions.