{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8357", "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2", "state": "PUBLISHED", "assignerShortName": "Document Fdn.", "dateReserved": "2026-05-11T18:55:27.138Z", "datePublished": "2026-06-15T16:23:37.518Z", "dateUpdated": "2026-06-15T18:03:57.153Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2", "shortName": "Document Fdn.", "dateUpdated": "2026-06-15T16:23:37.518Z"}, "title": "Heap buffer overflow in Calc formula compilation", "datePublic": "2026-06-15T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-193", "description": "CWE-193 Off-by-one Error", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-44", "descriptions": [{"lang": "en", "value": "CAPEC-44 Overflow Binary Resource File"}]}], "affected": [{"vendor": "The Document Foundation", "product": "LibreOffice", "versions": [{"status": "affected", "version": "26.2", "lessThan": "< 26.2.4", "versionType": "26.2 series"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.</p>"}]}], "references": [{"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-8357"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P"}}], "credits": [{"lang": "en", "value": "Anthropic (automated discovery using Claude)", "type": "finder"}, {"lang": "en", "value": "Arthur Chan of Ada Logics (validation and reporting)", "type": "analyst"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T18:03:49.986573Z", "id": "CVE-2026-8357", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T18:03:57.153Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-8357", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T18:03:49.986573Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T18:03:53.174Z"}}], "cna": {"title": "Heap buffer overflow in Calc formula compilation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Anthropic (automated discovery using Claude)"}, {"lang": "en", "type": "analyst", "value": "Arthur Chan of Ada Logics (validation and reporting)"}], "impacts": [{"capecId": "CAPEC-44", "descriptions": [{"lang": "en", "value": "CAPEC-44 Overflow Binary Resource File"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Document Foundation", "product": "LibreOffice", "versions": [{"status": "affected", "version": "26.2", "lessThan": "< 26.2.4", "versionType": "26.2 series"}], "defaultStatus": "unknown"}], "datePublic": "2026-06-15T00:00:00.000Z", "references": [{"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-8357"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.", "supportingMedia": [{"type": "text/html", "value": "<p>LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193 Off-by-one Error"}]}], "providerMetadata": {"orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2", "shortName": "Document Fdn.", "dateUpdated": "2026-06-15T16:23:37.518Z"}}}, "cveMetadata": {"cveId": "CVE-2026-8357", "state": "PUBLISHED", "dateUpdated": "2026-06-15T18:03:57.153Z", "dateReserved": "2026-05-11T18:55:27.138Z", "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2", "datePublished": "2026-06-15T16:23:37.518Z", "assignerShortName": "Document Fdn."}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting."}], "id": "CVE-2026-8357", "lastModified": "2026-06-15T20:55:48.070", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@documentfoundation.org", "type": "Secondary"}]}, "published": "2026-06-15T18:16:37.513", "references": [{"source": "security@documentfoundation.org", "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-8357"}], "sourceIdentifier": "security@documentfoundation.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}, {"lang": "en", "value": "CWE-787"}], "source": "security@documentfoundation.org", "type": "Secondary"}]}

{"bugzilla": {"description": "libreoffice: LibreOffice Calc: Arbitrary code execution via heap buffer overflow in formula compilation", "id": "2488964", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488964"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A vulnerability has been identified in LibreOffice Calc. An application crash may occur if a user opens a malicious spreadsheet that contains excessively long formulas. Successful exploitation of this vulnerability could result in a denial of service or potentially lead to arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Users should exercise caution when opening untrusted or suspicious spreadsheet documents."}, "name": "CVE-2026-8357", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libreoffice", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "libreoffice", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libreoffice", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libreoffice", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-15T16:23:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-8357\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-8357\nhttps://www.libreoffice.org/about-us/security/advisories/cve-2026-8357"], "statement": "A vulnerability has been identified in LibreOffice Calc. An application crash may occur if a user opens a malicious spreadsheet that contains excessively long formulas. In severe cases, this could allow an attacker to run unauthorized, malicious code on the user's computer. Users should avoid opening untrusted spreadsheets", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[26.2,26.2.4)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "LibreOffice", "source": "cna", "vendor": "The Document Foundation"}, "product": "libreoffice", "vendor": "the_document_foundation"}], "created": "2026-06-16T13:45:16.286932+00:00", "updated": "2026-06-18T20:30:05.289221+00:00", "vendors": ["the_document_foundation", "the_document_foundation$PRODUCT$libreoffice"]}