Impact
An out‑of‑bounds write occurs when FreeType 2.13.0 and earlier parse font subglyph structures in TrueType GX and variable font files. The code mistakenly casts a signed short to an unsigned long, which wraps around and allocates a heap buffer that is too small. Up to six signed long integers are then written beyond the buffer’s end, allowing an attacker to hijack control flow and achieve arbitrary code execution. This is a classic heap overflow (CWE‑787).
Affected Systems
The vulnerability affects FreeType libraries up to and including version 2.13.0. It is bundled with many Linux distributions, including Red Hat Enterprise Linux 8 and 9, Red Hat OpenShift 4.12, and various Red Hat support streams. Any application or service that loads TrueType GX or variable font files via FreeType may be exposed.
Risk and Exploitability
With a CVSS score of 8.1 and an EPSS score of 26%, the risk is high. The vulnerability is listed in the CISA KEV catalog, indicating that exploits have been reported in the wild. Attackers could deliver specially crafted font files locally or remotely to any application that processes them, potentially leading to remote code execution. The likely attack vector is the input of manipulated font files to a vulnerable process.
OpenCVE Enrichment
Debian DLA
Debian DSA
Ubuntu USN