Description
CrossFont 7.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by submitting an oversized payload in the License Key field. Attackers can generate a malicious file containing 4000 bytes of data, paste it into the License Key input field, and trigger an application crash when processing the input.
Published: 2026-04-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Mitigate
AI Analysis

Impact

The vulnerability is a classic buffer overflow (CWE-120) in CrossFont 7.5 that allows a local attacker to crash the application by submitting an oversized payload in the License Key field. When the malicious data is processed, the application fails and terminates, resulting in an unavailability of the font management service for legitimate users.

Affected Systems

Acutesystems CrossFont version 7.5 is affected. No additional affected versions are listed in the data.

Risk and Exploitability

The CVSS score of 6.9 classifies the flaw as moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not included in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires local system access or a trusted user providing malicious data, which limits the attack window. Nonetheless, once executed the application ceases to function until restarted or patched.

Generated by OpenCVE AI on April 28, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict write and execute permissions on the CrossFont installation directory and limit access to the License Key input only to privileged users.
  • If a patch is not yet available, disable or remove the license key import functionality or uninstall the application from critical systems.
  • Monitor application logs for repeated crashes or abnormal input attempts and configure alerts for rapid incident response.

Generated by OpenCVE AI on April 28, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Acutesystems
Acutesystems crossfont
Vendors & Products Acutesystems
Acutesystems crossfont

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description CrossFont 7.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by submitting an oversized payload in the License Key field. Attackers can generate a malicious file containing 4000 bytes of data, paste it into the License Key input field, and trigger an application crash when processing the input.
Title CrossFont 7.5 Denial of Service via License Key Field
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Acutesystems Crossfont
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-27T14:08:26.109Z

Reserved: 2026-04-26T12:52:49.047Z

Link: CVE-2018-25273

cve-icon Vulnrichment

Updated: 2026-04-27T14:08:08.259Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T22:17:27.620

Modified: 2026-04-27T18:55:32.883

Link: CVE-2018-25273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses