LibreOffice Calc Formula Parsing Vulnerability

A vulnerability in LibreOffice (CVE-2023-0950) allows to trigger an array index underflow that could be exploited by an attacker to execute arbitrary code. To trigger the vulnerability, a victim only needs to open a specially crafted Spreadsheet file. The vulnerability has been fixed in LibreOffice 7.4.6/7.5.2.

The vulnerability was discovered during research of a mobile application. The vulnerability is considered particularly interesting because it occurs during the processing of a specific formula, giving an attacker a high degree of flexibility when exploiting the vulnerability.

Details & Impact

For example, a Spreedsheet that contains the following formula will crash affected versions of LibreOffice:


The vulnerability is triggered because the OR formula in the AGGREGATE formula has no parameters instead of the expected two parameters. Processing of formulas creates an internal parameter array that acts as a parameter stack. When the parameters for the specially crafted AGGREGATE formula are read, an invalid read attempt is made for a parameter before this array. By arranging previously executed formulas in a particular way, an attacker could control the data before the parameter array and thus inject a fake parameter. Spreadsheet formula parameters are complex objects in Libre Office, so injecting a fake parameter could allow an attacker to execute arbitrary code.


Holger Fuhrmannek (