CVE-2026-23865

CVE-2026-23865

Name

CVE-2026-23865

Description

An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
cve-assign@fb.com	https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
cve-assign@fb.com	https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/
cve-assign@fb.com	https://www.facebook.com/security/advisories/cve-2026-23865
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/03/03/8

Type

URI

cve-assign@fb.com

https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c

cve-assign@fb.com

https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/

cve-assign@fb.com

https://www.facebook.com/security/advisories/cve-2026-23865

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/03/03/8

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:freetype:freetype::::::::`	freetype	>= 2.13.2	<= 2.13.3
`cpe:2.3:a:freetype:freetype::::::::`	freetype	>= 2.14.0	<= 2.14.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*

freetype

>= 2.13.2

<= 2.13.3

cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*

freetype

>= 2.14.0

<= 2.14.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openjdk21	edge-community	21.0.11_p10-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk17	edge-community	17.0.19_p10-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk11	edge-community	11.0.31_p11-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
freetype	edge-main	2.14.1-r1	Achill Gilgenast <achill@achill.org>	possibly vulnerable
freetype	edge-main	2.14.1-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
freetype	edge-main	2.13.3-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
freetype	3.23-main	2.14.1-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
freetype	3.22-main	2.13.3-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
freetype	3.21-main	2.13.3-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
freetype	3.20-main	2.13.2-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
freetype	3.19-main	2.13.2-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

openjdk21

edge-community

21.0.11_p10-r0

Simon Frankenberger <simon-alpine@fraho.eu>

fixed

openjdk17

edge-community