CVE-2026-4430 Overview
CVE-2026-4430 is an out-of-bounds write vulnerability [CWE-787] in The Document Foundation's LibreOffice. The flaw occurs when LibreOffice processes crafted Office Open XML (OOXML) documents containing mismatched encryption salt parameters. An attacker can trigger memory corruption by convincing a user to open a malicious document.
The vulnerability affects LibreOffice versions from 26.2 before 26.2.3 and from 25.8 before 25.8.7. Exploitation requires local file access and user interaction, limiting remote attack scenarios but enabling phishing-driven document delivery.
Critical Impact
Successful exploitation can corrupt memory through out-of-bounds writes during OOXML decryption parsing, potentially impacting application availability and integrity on systems where users open crafted documents.
Affected Products
- LibreOffice 26.2 before 26.2.3
- LibreOffice 25.8 before 25.8.7
- The Document Foundation LibreOffice (OOXML document parsing component)
Discovery Timeline
- 2026-05-07 - CVE-2026-4430 published to the National Vulnerability Database (NVD)
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-4430
Vulnerability Analysis
CVE-2026-4430 is an out-of-bounds write [CWE-787] triggered during LibreOffice's handling of encrypted OOXML documents. OOXML encryption relies on cryptographic parameters, including a salt value, embedded in the document's encryption descriptor. When the declared salt length and the actual salt data within the document do not match, LibreOffice's parsing logic writes beyond the bounds of the allocated buffer.
The attack requires local file access combined with user interaction, since the victim must open the crafted document. This pattern aligns with phishing campaigns that distribute malicious office documents through email attachments or shared storage.
Root Cause
The root cause is insufficient validation of encryption salt parameters before writing data into a fixed-size buffer. The decryption routine trusts the metadata declaration without reconciling it with the actual size of the salt payload. This mismatch allows writes past the intended buffer boundary, corrupting adjacent memory structures.
Attack Vector
An attacker crafts an OOXML document such as a .docx, .xlsx, or .pptx file containing an encryption header with deliberately mismatched salt size and salt content fields. The attacker delivers the document through email, file sharing, or removable media. When the user opens the document in a vulnerable LibreOffice build, the parser performs the out-of-bounds write during encryption header processing, leading to memory corruption and likely application crash.
No public proof-of-concept code is available. For technical reproduction details, refer to the LibreOffice Security Advisory.
Detection Methods for CVE-2026-4430
Indicators of Compromise
- Unexpected soffice.bin or soffice.exe process crashes immediately after a user opens an OOXML file
- OOXML documents whose encryption descriptor declares a salt size that does not equal the byte length of the embedded salt blob
- Office documents arriving from untrusted senders with unusually small or malformed EncryptionInfo streams
Detection Strategies
- Inspect inbound OOXML attachments at the email gateway and parse the EncryptionInfo stream to validate that declared salt length matches actual salt length
- Monitor endpoint telemetry for LibreOffice process termination signals (SIGSEGV, access violation exceptions) correlated with recent document opens
- Hunt for child process anomalies originating from soffice after document execution, since memory corruption may be chained with secondary payloads
Monitoring Recommendations
- Enable application crash reporting on endpoints running LibreOffice and forward dumps to centralized log analysis
- Track LibreOffice version inventory across the fleet to identify hosts still on 26.2.x prior to 26.2.3 or 25.8.x prior to 25.8.7
- Alert on user-opened documents that trigger crashes within seconds of launch, a behavioral signal of parser exploitation
How to Mitigate CVE-2026-4430
Immediate Actions Required
- Upgrade LibreOffice to version 26.2.3 or 25.8.7 or later across all endpoints
- Identify and inventory all systems running affected LibreOffice branches using software asset management tools
- Educate users to avoid opening encrypted OOXML documents from untrusted sources until patches are deployed
Patch Information
The Document Foundation has released fixed versions in LibreOffice 26.2.3 and 25.8.7. Patch details and download links are available in the LibreOffice Security Advisory. Administrators should deploy updates through their standard package management channels or the official LibreOffice download portal.
Workarounds
- Block or quarantine encrypted OOXML attachments at email gateways until patching is complete
- Configure LibreOffice to open untrusted documents in a sandbox or restricted user account with minimal filesystem privileges
- Use protected view or alternate document viewers for files originating from external networks
# Verify installed LibreOffice version on Linux
libreoffice --version
# Example upgrade on Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade libreoffice
# Example upgrade on Fedora/RHEL
sudo dnf upgrade libreoffice
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
