{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23865", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "state": "PUBLISHED", "assignerShortName": "Meta", "dateReserved": "2026-01-16T19:49:26.309Z", "datePublished": "2026-03-02T16:09:42.079Z", "dateUpdated": "2026-03-04T00:16:54.590Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "FreeType", "vendor": "FreeType", "versions": [{"lessThanOrEqual": "2.13.3", "status": "affected", "version": "2.13.2", "versionType": "semver"}, {"lessThanOrEqual": "2.14.1", "status": "affected", "version": "2.14.0", "versionType": "semver"}]}], "dateAssigned": "2026-02-17T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2."}], "problemTypes": [{"descriptions": [{"description": "CWE-125: Out of Bounds Read", "lang": "en"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "Meta", "dateUpdated": "2026-03-02T16:09:42.079Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.facebook.com/security/advisories/cve-2026-23865"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T16:25:34.989518Z", "id": "CVE-2026-23865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T16:26:15.902Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/03/8"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-04T00:16:54.590Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/03/8"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-04T00:16:54.590Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T16:25:34.989518Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T16:25:48.848Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "FreeType", "product": "FreeType", "versions": [{"status": "affected", "version": "2.13.2", "versionType": "semver", "lessThanOrEqual": "2.13.3"}, {"status": "affected", "version": "2.14.0", "versionType": "semver", "lessThanOrEqual": "2.14.1"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.facebook.com/security/advisories/cve-2026-23865", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/", "tags": ["x_refsource_CONFIRM"]}], "dateAssigned": "2026-02-17T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out of Bounds Read"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "Meta", "dateUpdated": "2026-03-02T16:09:42.079Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23865", "state": "PUBLISHED", "dateUpdated": "2026-03-04T00:16:54.590Z", "dateReserved": "2026-01-16T19:49:26.309Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2026-03-02T16:09:42.079Z", "assignerShortName": "Meta"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*", "matchCriteriaId": "31E09E2F-28D3-440A-ADA4-D58EEF53733B", "versionEndIncluding": "2.13.3", "versionStartIncluding": "2.13.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*", "matchCriteriaId": "57620D53-213B-4593-BC11-37A948627473", "versionEndIncluding": "2.14.1", "versionStartIncluding": "2.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2."}, {"lang": "es", "value": "Un desbordamiento de entero en la funci\u00f3n tt_var_load_item_variation_store de la librer\u00eda Freetype en las versiones 2.13.2 y 2.13.3 puede permitir una operaci\u00f3n de lectura fuera de l\u00edmites al analizar tablas HVAR/VVAR/MVAR en fuentes variables OpenType. Este problema est\u00e1 solucionado en la versi\u00f3n 2.14.2."}], "id": "CVE-2026-23865", "lastModified": "2026-05-01T17:41:13.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cve-assign@fb.com", "type": "Secondary"}]}, "published": "2026-03-02T17:16:32.100", "references": [{"source": "cve-assign@fb.com", "tags": ["Patch"], "url": "https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c"}, {"source": "cve-assign@fb.com", "tags": ["Release Notes"], "url": "https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/"}, {"source": "cve-assign@fb.com", "tags": ["Third Party Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2026-23865"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2026/03/03/8"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Freetype: Freetype: Information disclosure or denial of service via specially crafted font files", "id": "2443891", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443891"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "details": ["An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2."], "name": "CVE-2026-23865", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/eventrouter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/fluentd-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/log-file-metric-exporter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-view-plugin-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/vector-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Fix deferred", "package_name": "java-11-openjdk", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Fix deferred", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Fix deferred", "package_name": "java-17-openjdk-portable", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Fix deferred", "package_name": "java-21-openjdk-portable", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:25", "fix_state": "Fix deferred", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 25"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "freetype", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "java-25-openjdk", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "freetype", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "freetype", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "freetype", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mingw-freetype", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "freetype", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-25-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-02T16:09:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23865\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23865\nhttps://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c\nhttps://sourceforge.net/projects/freetype/files/freetype2/2.14.2/\nhttps://www.facebook.com/security/advisories/cve-2026-23865"], "statement": "This is a MODERATE impact vulnerability. An integer overflow in the Freetype library can lead to an out-of-bounds read when processing specially crafted OpenType variable fonts. Exploitation requires user interaction, such as opening a malicious font file.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.13.2,2.13.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.14.0,2.14.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FreeType", "source": "cna", "vendor": "FreeType"}, "product": "freetype", "vendor": "freetype"}], "analysis": {"en": {"generated_at": "2026-04-16T14:32:22.453470+00:00", "value": {"mitigation_remediation": ["Update the Freetype library to version 2.14.2 or later, which contains the fix.", "If an update cannot be performed immediately, disable or avoid loading variable fonts in applications that use Freetype until the library is patched.", "Validate or sanitize font files before feeding them to the rendering engine, and avoid processing untrusted external fonts."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure or Denial of Service"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are FreeType 2.13.2 and 2.13.3 used in many Linux distributions, desktop environments, and applications that render fonts. The fix is delivered in FreeType 2.14.2 and later. Systems and programs that rely on these versions and process variable fonts without proper validation are affected.", "description_and_impact": "The flaw is an integer overflow in the tt_var_load_item_variation_store function that can cause an out\u2011of\u2011bounds read when parsing certain tables in variable OpenType fonts. This can leak arbitrary data from memory or cause the library to crash, leading to information disclosure or denial of service, depending on the target application.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate level of severity. The EPSS score is below 1\u202f%, meaning the exploitation likelihood is currently very low. The vulnerability is not listed in KEV. The likely attack vector is any application that parses a user\u2011supplied font file via Freetype; an attacker can supply a crafted HVAR/VVAR/MVAR table to trigger the overflow."}}}}, "created": "2026-03-03T08:42:54.898487+00:00", "updated": "2026-04-16T14:45:25.928054+00:00", "vendors": ["freetype", "freetype$PRODUCT$freetype"]}