PatchSiren cyber security CVE debrief
CVE-2026-8358 The Document Foundation CVE debrief
CVE-2026-8358 is a medium-severity vulnerability in LibreOffice Calc that can lead to a heap buffer overflow when importing tracked changes from a spreadsheet. The vulnerability occurs when a document reuses the same change identifier for two different kinds of change, causing the importer to treat one change object as a different, larger type and write past the end of its allocation. In fixed versions, records with a duplicate identifier are rejected.
- Vendor
- The Document Foundation
- Product
- LibreOffice
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of LibreOffice Calc, particularly those who import tracked changes from spreadsheet documents, should be aware of this vulnerability and ensure they are using a fixed version.
Technical summary
The vulnerability is caused by a heap buffer overflow in the LibreOffice Calc importer. When a document reuses the same change identifier for two different kinds of change, the importer incorrectly treats one change object as a different, larger type and writes past the end of its allocation.
Defensive priority
Medium
Recommended defensive actions
- Update to a fixed version of LibreOffice Calc
- Be cautious when importing tracked changes from spreadsheet documents
Evidence notes
The CVE record was obtained from the official CVE website and the NVD detail page.
Official resources
-
CVE-2026-8358 CVE record
CVE.org
-
CVE-2026-8358 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-8358 was published on 2026-06-15T18:16:37.630Z and has not been modified since then.