PatchSiren cyber security CVE debrief
CVE-2026-8357 The Document Foundation CVE debrief
CVE-2026-8357 is a medium-severity vulnerability in LibreOffice Calc that can cause a heap buffer overflow when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for the worst-case scenario, allowing the formula to write one element past its end. In fixed versions, the array is sized to hold the largest possible nesting depth.
- Vendor
- The Document Foundation
- Product
- LibreOffice
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of LibreOffice Calc, particularly those who open spreadsheets from untrusted sources, should be aware of this vulnerability and ensure they are running a fixed version.
Technical summary
The vulnerability exists in the way LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow occurs when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for the worst-case scenario, allowing the formula to write one element past its end.
Defensive priority
Medium
Recommended defensive actions
- Update to a fixed version of LibreOffice Calc
- Be cautious when opening spreadsheets from untrusted sources
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].
Official resources
-
CVE-2026-8357 CVE record
CVE.org
-
CVE-2026-8357 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-8357 was published on 2026-06-15T18:16:37.513Z and has not been modified since.