CVE-2025-2866

Publication date 27 April 2025

Last updated 14 May 2025

Ubuntu priority

Cvss 3 Severity Score

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libreoffice	25.04 plucky	Not affected
	24.10 oracular	Fixed 4:24.8.6-0ubuntu0.24.10.2
	24.04 LTS noble	Fixed 4:24.2.7-0ubuntu0.24.04.4
	22.04 LTS jammy	Fixed 1:7.3.7-0ubuntu0.22.04.10
	20.04 LTS focal	Fixed 1:6.4.7-0ubuntu0.20.04.15

Notes

mdeslaur

Fixed in (4:24.8.6-0ubuntu0.24.10.1) in oracular-proposed, but not yet in oracular-security

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libreoffice	Upstream: https://gerrit.libreoffice.org/c/core/+/183059 Upstream: https://git.libreoffice.org/core/+/5b25bf30f0909ce322527a9947a519c7dbc3050c%5E%21

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-7504-1
LibreOffice vulnerability
8 May 2025