The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-0950

CVE-2023-0950: LibreOffice Spreadsheet RCE Vulnerability

CVE-2023-0950 is a remote code execution flaw in LibreOffice spreadsheets caused by array index underflow. Malformed formulas like AGGREGATE can trigger arbitrary code execution. This article covers technical details.

Published: February 4, 2026

CVE-2023-0950 Overview

CVE-2023-0950 is an Improper Validation of Array Index vulnerability (CWE-129) in the spreadsheet component of The Document Foundation LibreOffice. This vulnerability allows an attacker to craft a malicious spreadsheet document that triggers an array index underflow when loaded by a victim, potentially leading to arbitrary code execution.

The vulnerability stems from certain malformed spreadsheet formulas, such as AGGREGATE, that can be created with fewer parameters than the formula interpreter expects. When LibreOffice processes these malformed formulas, an array index underflow occurs, creating an exploitable condition where arbitrary code execution becomes possible.

Critical Impact

This vulnerability enables attackers to execute arbitrary code on victim systems through specially crafted spreadsheet documents, requiring only user interaction to open the malicious file.

Affected Products

  • LibreOffice versions 7.4 prior to 7.4.6
  • LibreOffice versions 7.5 prior to 7.5.1
  • Debian Linux 10.0

Discovery Timeline

  • 2023-05-25 - CVE-2023-0950 published to NVD
  • 2025-04-23 - Last updated in NVD database

Technical Details for CVE-2023-0950

Vulnerability Analysis

This vulnerability exists in LibreOffice's spreadsheet formula processing engine. The root cause is inadequate validation of array indices when parsing certain spreadsheet formulas. When a formula like AGGREGATE is constructed with insufficient parameters, the formula interpreter attempts to access array elements using an index that underflows, resulting in memory access outside the intended bounds.

The exploitation requires local access in the sense that a victim must open a malicious spreadsheet file. However, this attack vector is highly practical as spreadsheet documents are commonly shared via email, file sharing services, and other collaboration platforms. Once the malicious document is opened, no additional user interaction is required for the vulnerability to trigger.

The impact of successful exploitation is severe, as it can lead to complete compromise of confidentiality, integrity, and availability of the affected system. An attacker could leverage this vulnerability to install malware, exfiltrate sensitive data, or use the compromised system as a pivot point for further attacks.

Root Cause

The vulnerability originates from improper validation of array index boundaries in the spreadsheet formula interpreter. Specifically, when processing formulas like AGGREGATE, the interpreter does not adequately verify that the number of parameters supplied matches the expected count. This allows an attacker to craft a formula with fewer parameters than expected, causing the interpreter to calculate a negative array index, which underflows and points to unintended memory locations.

Attack Vector

The attack requires social engineering to convince a victim to open a malicious spreadsheet document. The attack flow involves:

  1. An attacker crafts a spreadsheet document containing a malformed formula with insufficient parameters
  2. The document is delivered to the victim via email, file sharing, or other means
  3. When the victim opens the document in a vulnerable LibreOffice version, the malformed formula is processed
  4. The formula interpreter experiences an array index underflow due to missing parameters
  5. This underflow condition can be leveraged to achieve arbitrary code execution in the context of the user running LibreOffice

The vulnerability is particularly dangerous because spreadsheet documents are ubiquitous in business environments and users are accustomed to opening them without suspicion.

Detection Methods for CVE-2023-0950

Indicators of Compromise

  • Unusual LibreOffice process behavior, including unexpected child processes or network connections
  • Spreadsheet files with malformed or unusually constructed AGGREGATE or similar formulas
  • LibreOffice crashes or abnormal terminations when opening specific spreadsheet files
  • Memory access violations or segmentation faults in LibreOffice logs

Detection Strategies

  • Monitor for LibreOffice processes spawning unexpected child processes or executing shell commands
  • Implement file inspection solutions to scan inbound spreadsheet documents for malformed formula structures
  • Deploy endpoint detection and response (EDR) solutions capable of detecting memory corruption exploitation attempts
  • Configure application whitelisting to alert on or prevent unexpected code execution from LibreOffice processes

Monitoring Recommendations

  • Enable verbose logging for LibreOffice to capture formula parsing errors and exceptions
  • Implement centralized log collection to correlate LibreOffice-related events across the environment
  • Monitor file system activity for spreadsheet documents originating from untrusted sources
  • Deploy behavioral analysis to detect anomalous process activity following LibreOffice document opens

How to Mitigate CVE-2023-0950

Immediate Actions Required

  • Update LibreOffice 7.4.x installations to version 7.4.6 or later
  • Update LibreOffice 7.5.x installations to version 7.5.1 or later
  • Educate users about the risks of opening spreadsheet documents from untrusted sources
  • Consider temporarily disabling automatic formula execution in LibreOffice until patches are applied

Patch Information

The Document Foundation has released security patches addressing this vulnerability. Users should update to the following versions or later:

  • LibreOffice 7.4 branch: Update to version 7.4.6 or later
  • LibreOffice 7.5 branch: Update to version 7.5.1 or later

For detailed patch information, refer to the LibreOffice Security Advisory for CVE-2023-0950. Linux distribution users should check their distribution's security advisories, including the Debian Security Advisory DSA-5415 and Gentoo GLSA 2023-11-15.

Workarounds

  • Avoid opening spreadsheet documents from untrusted or unknown sources until systems are patched
  • Use alternative office suite applications temporarily for processing untrusted spreadsheets
  • Implement network-level filtering to quarantine and scan inbound spreadsheet documents
  • Consider using LibreOffice in a sandboxed environment or virtual machine when opening documents from external sources
bash
# Verify LibreOffice version to confirm patched status
libreoffice --version

# On Debian-based systems, update LibreOffice via package manager
sudo apt update && sudo apt upgrade libreoffice

# On Gentoo systems, sync and update
emerge --sync && emerge -uDN libreoffice

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechLibreoffice
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-129
  • Technical References
  • Debian LTS Announcement
  • Gentoo GLSA 2023-11-15
  • Debian Security Advisory DSA-5415
  • Vendor Resources
  • LibreOffice Security Advisory CVE-2023-0950
  • Related CVEs
  • CVE-2023-6186: LibreOffice Macro Execution RCE Vulnerability
  • CVE-2024-6472: LibreOffice Auth Bypass Vulnerability
  • CVE-2025-2866: LibreOffice PDF Signature Spoofing Flaw
  • CVE-2024-7788: LibreOffice Signature Forgery Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English