A use after free vulnerability was found in RTF parser of LibreOffice. The vulnerability lies in the parsing of documents containing both stylesheet and superscript tokens. A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be used to execute arbitrary code.
Created libreoffice tracking bugs for this issue:
Affects: fedora-23 [bug 1351199]
libreoffice-126.96.36.199-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.