Behdad Esfahbod

6 exploits Active since Jan 2022
CVE-2023-25193 WRITEUP HIGH WRITEUP
HarfBuzz < 6.0.0 - Denial of Service via O(n^2) Growth in Mark Attachment
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
CVSS 7.5
CVE-2021-45931 WRITEUP MEDIUM WRITEUP
HarfBuzz 2.9.0 - Out-of-bounds Write in hb_bit_set_invertible_t::set
HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).
CVSS 6.5
CVE-2022-33068 WRITEUP MEDIUM WRITEUP
Harfbuzz 4.3.0 - Denial of Service via Integer Overflow in hb-ot-shape-fallback.cc
An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
CVSS 5.5
CVE-2023-25193 WRITEUP HIGH WRITEUP
HarfBuzz < 6.0.0 - Denial of Service via O(n^2) Growth in Mark Attachment
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
CVSS 7.5
CVE-2024-56732 WRITEUP HIGH WRITEUP
HarfBuzz 8.5.0-10.0.1 - Heap-based Buffer Overflow in hb_cairo_glyphs_from_buffer
HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hb_cairo_glyphs_from_buffer function.
CVSS 8.8
CVE-2026-22693 WRITEUP MEDIUM WRITEUP
HarfBuzz <12.3.0 - Memory Corruption
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
CVSS 5.3