Harfbuzz::Shaper versions before 0.032 for Perl embed the HarfBuzz 8.4.0 or earlier source package, which is affected by a null pointer dereference vulnerability (CWE-476). The flaw can cause a segmentation fault when the library processes certain input, leading to a crash of the Perl process that ingests the module. The impact is primarily a denial of service, as the crash can terminate user‑processes or web services that rely on the module. No direct remote code execution path is described in the CVE data. The attack vector is inferred to be via legitimate use of the vulnerable Perl module, potentially triggered by crafted text rendering requests.

The vulnerability affects the JV Harfbuzz::Shaper Perl module for versions prior to 0.032. Vendors include JV, and the product is distributed via CPAN as Harfbuzz::Shaper. Systems running any of the bundled HarfBuzz 8.4.0 or earlier libraries inside the module are impacted; this includes all installations where the Perl module is imported or executed. Version information from the CNA indicates that upgrades to 0.032 or later replace the bundled library with HarfBuzz 12.3.0, which removes the fault.

The CVSS score of 7.5 reflects a high severity impact. The EPSS score of less than 1 percent indicates a very low likelihood of exploitation in the wild at this time, and the vulnerability is not currently listed in CISA’s KEV catalog. The primary exploitation pathway is server or application crash when the module processes a user‑supplied input that triggers the null dereference. Because exploitation requires the module to be executed in the attacker’s context, the risk to systems that simply keep the module installed but do not load it is lower. Nonetheless, the high severity rating recommends remediation.