Home

Description

A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.

PUBLISHED Reserved 2026-04-09 | Published 2026-06-15 | Updated 2026-06-15 | Assigner Document Fdn.




MEDIUM: 5.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-416 Use After Free

CWE-787 Out-of-bounds Write

Product status

Default status
unknown

25.8 (25.8 series) before < 25.8.7
affected

26.2 (26.2 series) before < 26.2.3
affected

Credits

Anthropic (automated discovery using Claude) finder

Trail of Bits (triage and validation) analyst

References

www.libreoffice.org/...-us/security/advisories/cve-2026-6040

cve.org (CVE-2026-6040)

nvd.nist.gov (CVE-2026-6040)

Download JSON