CVE-2025-2866

Published: Apr 27, 2025Modified: Nov 3, 2025

2.4

Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security@documentfoundation.org (Secondary)

Description

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

Affected (6)

Products: Libreoffice: Libreoffice

Libreoffice

1 product

Libreoffice

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Libreoffice Libreoffice	From 24.8.0.1 to 24.8.6.0
Libreoffice Libreoffice	From 25.2.0.1 to 25.2.2
Libreoffice Libreoffice	Version 24.8.0.0 alpha1
Libreoffice Libreoffice	Version 24.8.0.0 beta1
Libreoffice Libreoffice	Version 25.2.0.0 alpha1
Libreoffice Libreoffice	Version 25.2.0.0 beta1

Related CWEs

CWE-347

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (2)

https://www.libreoffice.org/about-us/security/advisories/cve-2025-2866

Source: security@documentfoundation.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2025/06/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.