Description
fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.
Published: 2026-03-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential code execution or crash
Action: Patch Immediately
AI Analysis

Impact

Fontconfig versions prior to 2.17.1 contain an off‑by‑one error in the allocation of sfnt capabilities within FcFontCapabilities in fcfreetype.c. This flaw results in a one‑byte out‑of‑bounds write that can overwrite adjacent memory, potentially leading to a crash or, if exploited in a particular way, arbitrary code execution. The vulnerability is a classic bounds‑check error (CWE‑193).

Affected Systems

Any system running fontconfig 2.16.x or earlier is susceptible. The affected vendor is the Fontconfig Project and all products that ship the library without an official patch are at risk. The specific affected version information is not listed beyond the pre‑2.17.1 range.

Risk and Exploitability

CVSS score of 5.9 and an EPSS score of less than 1% indicate moderate severity yet a low likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalogue, suggesting no widespread public attacks have been observed. The most likely attack path involves an attacker supplying a crafted font file to an application that reads fonts via fontconfig, triggering the off‑by‑one write during sfnt capability handling and potentially causing a crash or arbitrary code execution. All exploit conditions remain theoretical pending public evidence.

Generated by OpenCVE AI on March 28, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update fontconfig to version 2.17.1 or later.
  • Verify that the updated package is the correct version and that the system’s font database references it.
  • Monitor vendor advisories for any additional mitigations or workaround recommendations.

Generated by OpenCVE AI on March 28, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fontconfig_project:fontconfig:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Off-by-One Vulnerability in Fontconfig May Enable Code Execution fontconfig: Fontconfig: Security flaw allows arbitrary code execution or system crash
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Fontconfig Project
Fontconfig Project fontconfig
Vendors & Products Fontconfig Project
Fontconfig Project fontconfig

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Off-by-One Vulnerability in Fontconfig May Enable Code Execution

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Fontconfig Project Fontconfig
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T17:50:01.562Z

Reserved: 2026-03-25T16:54:36.761Z

Link: CVE-2026-34085

cve-icon Vulnrichment

Updated: 2026-03-27T14:57:42.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:17:09.210

Modified: 2026-03-27T21:39:33.240

Link: CVE-2026-34085

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T16:54:37Z

Links: CVE-2026-34085 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:22Z

Weaknesses