Anthropic

**Name of the Vulnerable Software and Affected Versions** LibreOffice Calc (affected versions not specified) **Description** A heap buffer overflow occurs during the import of tracked changes from a spreadsheet document. This happens when a document reuses the same change identifier for two different types of changes, causing the importer to treat a change object as a larger type and write data beyond the allocated memory boundary. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** A heap use-after-free occurs during the import of blank-width characters within an ODF number format. This happens because a position value read from the document is not validated against the length of the format-code string, allowing a malformed number format to be processed against memory outside the intended string boundaries. Heap use-after-free is a memory corruption issue where a program continues to use a pointer after the memory it points to has been freed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibreOffice (affected versions not specified) **Description** A heap buffer overflow occurs during the import of EMF+ graphics, which can be embedded in documents. Specifically, the issue arises when importing an EMF+ gradient brush. The software reads the number of gradient blend points from the file to calculate the allocation size; however, this multiplication can overflow. This results in the allocation of a buffer that is too small, which is then filled as if it were larger, leading to data being written past the end of the buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibreOffice (affected versions not specified) **Description** A heap buffer overflow occurs during the import of documents in the OOXML (DOCX) format. The issue arises when replaying deferred parser events for a text box element, where a handler object is assumed to be of a specific type and written to according to that type's field layout. If the object is smaller than assumed, the write operation extends beyond the end of the memory allocation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibreOffice (affected versions not specified) **Description** A stack buffer overflow occurs when importing presentations in the legacy binary PPT format. The issue arises during the import of a colour-replacement record where two fixed-size colour tables are filled from the file. Because the write position is not reset between the two passes over the record, a file with combined colour counts exceeding the table size writes past the end of the tables on the stack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibreOffice Calc (affected versions not specified) **Description** A heap buffer overflow occurs during the compilation of cell formulas when opening a spreadsheet. This issue is triggered by very long formulas containing numerous opening tokens. The array used to track nesting depth is allocated with one element too few for the worst-case scenario, causing the formula to write one element beyond the array boundary. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firecracker versions 1.13.0 through 1.14.3 Firecracker version 1.15.0 **Description** An out-of-bounds write issue exists in the virtio PCI transport on x86 64 and aarch64 architectures. A local guest user with root privileges can exploit this by modifying virtio queue configuration registers after device activation to crash the Firecracker VMM process or potentially execute arbitrary code on the host. Host code execution requires additional preconditions, such as specific snapshot configurations or the use of a custom guest kernel. **Recommendations** For versions 1.13.0 through 1.14.3, upgrade to version 1.14.4 or later. For version 1.15.0, upgrade to version 1.15.1 or later.