CVE-2025-2866

MEDIUM

LibreOffice 24.8.0.1-24.8.5.99 & 25.2.0-25.2.1 PDF Signature Spoofing

Title source: llm

Description

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

References (2)

Core 2

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/06/msg00002.html

Vendor Advisory

https://www.libreoffice.org/about-us/security/advisories/cve-2025-2866

Scores

CVSS v3 5.5

EPSS 0.0010

EPSS Percentile 0.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-347

Status published

Products (3)

libreoffice/libreoffice 24.8.0.0 alpha1 (2 CPE variants)

libreoffice/libreoffice 25.2.0.0 alpha1 (2 CPE variants)

libreoffice/libreoffice 24.8.0.1 - 24.8.6.0

Published Apr 27, 2025

Tracked Since Feb 18, 2026