CVE-2026-22693

CVE-2026-22693

Name

CVE-2026-22693

Description

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
CONFIRM	https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/01/11/1
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/01/12/1

Type

URI

MISC

https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae

CONFIRM

https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/01/11/1

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/01/12/1

CPE URI	Source package	Min version	Max version
	harfbuzz	>= 0	< 12.3.0

CPE URI

Source package

Min version

Max version

harfbuzz

>= 0

< 12.3.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
harfbuzz	edge-main	12.2.0-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	12.2.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	11.3.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	11.2.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	11.2.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	10.2.0-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	10.2.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	10.1.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	9.0.0-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	edge-main	4.4.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	3.23-main	12.2.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	3.22-main	11.2.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	3.22-main	4.4.1-r0	None	possibly vulnerable
harfbuzz	3.21-main	9.0.0-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	3.21-main	4.4.1-r0	None	possibly vulnerable
harfbuzz	3.20-main	8.5.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	3.20-main	4.4.1-r0	None	possibly vulnerable
harfbuzz	3.19-main	8.3.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
harfbuzz	3.19-main	4.4.1-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages