Description
HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hb_cairo_glyphs_from_buffer function.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-qmp9-xqm5-jh6m
Scores
CVSS v3
8.8
EPSS
0.0025
EPSS Percentile
48.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-122
Status
published
Products (1)
harfbuzz/harfbuzz
>= 8.5.0, <= 10.0.1
Published
Dec 27, 2024
Tracked Since
Feb 18, 2026