CVE-2025-2866

MEDIUM

Libreoffice < 24.8.6.0 - Signature Verification Bypass

Title source: rule

Description

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

References (2)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/06/msg00002.html

[Vendor Advisory] https://www.libreoffice.org/about-us/security/advisories/cve-2025-2866

Scores

CVSS v3 5.5

EPSS 0.0009

EPSS Percentile 25.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-347

Status published

Products (3)

libreoffice/libreoffice 24.8.0.0 alpha1 (2 CPE variants)

libreoffice/libreoffice 25.2.0.0 alpha1 (2 CPE variants)

libreoffice/libreoffice 24.8.0.1 - 24.8.6.0

Published Apr 27, 2025

Tracked Since Feb 18, 2026