Home

Description

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

PUBLISHED Reserved 2025-03-27 | Published 2025-04-27 | Updated 2025-11-03 | Assigner Document Fdn.




LOW: 2.4CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-347 Improper Verification of Cryptographic Signature

Product status

Default status
unknown

24.8 (24.8 series) before < 24.8.6
affected

25.2 (25.2 series) before < 25.2.2
affected

Credits

Thanks to Juraj Šarinay for discovering this issue and for providing a fix finder

References

lists.debian.org/debian-lts-announce/2025/06/msg00002.html

www.libreoffice.org/...-us/security/advisories/cve-2025-2866

cve.org (CVE-2025-2866)

nvd.nist.gov (CVE-2025-2866)

Download JSON