Description
An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.
Published: 2026-03-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure or Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw is an integer overflow in the tt_var_load_item_variation_store function that can cause an out‑of‑bounds read when parsing certain tables in variable OpenType fonts. This can leak arbitrary data from memory or cause the library to crash, leading to information disclosure or denial of service, depending on the target application.

Affected Systems

Vulnerable versions are FreeType 2.13.2 and 2.13.3 used in many Linux distributions, desktop environments, and applications that render fonts. The fix is delivered in FreeType 2.14.2 and later. Systems and programs that rely on these versions and process variable fonts without proper validation are affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate level of severity. The EPSS score is below 1 %, meaning the exploitation likelihood is currently very low. The vulnerability is not listed in KEV. The likely attack vector is any application that parses a user‑supplied font file via Freetype; an attacker can supply a crafted HVAR/VVAR/MVAR table to trigger the overflow.

Generated by OpenCVE AI on April 16, 2026 at 14:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Freetype library to version 2.14.2 or later, which contains the fix.
  • If an update cannot be performed immediately, disable or avoid loading variable fonts in applications that use Freetype until the library is patched.
  • Validate or sanitize font files before feeding them to the rendering engine, and avoid processing untrusted external fonts.

Generated by OpenCVE AI on April 16, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6168-1 freetype security update
History

Thu, 05 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Freetype: Freetype: Information disclosure or denial of service via specially crafted font files
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Freetype
Freetype freetype
Vendors & Products Freetype
Freetype freetype

Wed, 04 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
References

Mon, 02 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C'}

Subscriptions

Freetype Freetype
cve-icon MITRE

Status: PUBLISHED

Assigner: Meta

Published:

Updated: 2026-03-04T00:16:54.590Z

Reserved: 2026-01-16T19:49:26.309Z

Link: CVE-2026-23865

cve-icon Vulnrichment

Updated: 2026-03-04T00:16:54.590Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-02T17:16:32.100

Modified: 2026-03-04T01:15:55.710

Link: CVE-2026-23865

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-02T16:09:42Z

Links: CVE-2026-23865 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses