{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-34085", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-25T16:54:36.761Z", "datePublished": "2026-03-25T16:54:37.187Z", "dateUpdated": "2026-04-02T17:50:01.562Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "fontconfig", "vendor": "fontconfig project", "versions": [{"lessThan": "2.17.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-193", "description": "CWE-193 Off-by-one Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T17:50:01.562Z"}, "references": [{"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fontconfig_project:fontconfig:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:57:39.116564Z", "id": "CVE-2026-34085", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:57:45.810Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34085", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:57:39.116564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:57:42.596Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "fontconfig project", "product": "fontconfig", "versions": [{"status": "affected", "version": "0", "lessThan": "2.17.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193 Off-by-one Error"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fontconfig_project:fontconfig:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.17.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T17:50:01.562Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34085", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:50:01.562Z", "dateReserved": "2026-03-25T16:54:36.761Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T16:54:37.187Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fontconfig_project:fontconfig:2.17.0:*:*:*:*:*:*:*", "matchCriteriaId": "9CBF4F07-51C6-46C4-AC6B-88717551EF7A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c."}, {"lang": "es", "value": "fontconfig anterior a 2.17.1 tiene un error de uno en la asignaci\u00f3n durante el manejo de capacidades sfnt, lo que lleva a una escritura fuera de l\u00edmites de un byte, y potencialmente a un fallo o ejecuci\u00f3n de c\u00f3digo. Esto se encuentra en FcFontCapabilities en fcfreetype.c."}], "id": "CVE-2026-34085", "lastModified": "2026-05-12T15:37:22.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T17:17:09.210", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "fontconfig: Fontconfig: Security flaw allows arbitrary code execution or system crash", "id": "2451414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451414"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-193", "details": ["A flaw was found in fontconfig. This vulnerability, an off-by-one error in how fontconfig handles font capabilities, could allow a local attacker to cause a one-byte out-of-bounds write. This issue may lead to a system crash, resulting in a Denial of Service (DoS), or potentially enable the attacker to execute unauthorized code."], "mitigation": {"lang": "en:us", "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability."}, "name": "CVE-2026-34085", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mingw-fontconfig", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T16:54:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34085\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34085\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.17.1)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "fontconfig", "source": "cna", "vendor": "fontconfig"}, "product": "fontconfig", "vendor": "fontconfig_project"}], "analysis": {"en": {"generated_at": "2026-03-28T06:07:11.761664+00:00", "value": {"mitigation_remediation": ["Update fontconfig to version 2.17.1 or later.", "Verify that the updated package is the correct version and that the system\u2019s font database references it.", "Monitor vendor advisories for any additional mitigations or workaround recommendations."], "summary": {"action": "Patch Immediately", "impact": "Potential code execution or crash"}, "threat_synthesis": {"affected_systems": "Any system running fontconfig 2.16.x or earlier is susceptible. The affected vendor is the Fontconfig Project and all products that ship the library without an official patch are at risk. The specific affected version information is not listed beyond the pre\u20112.17.1 range.", "description_and_impact": "Fontconfig versions prior to 2.17.1 contain an off\u2011by\u2011one error in the allocation of sfnt capabilities within FcFontCapabilities in fcfreetype.c. This flaw results in a one\u2011byte out\u2011of\u2011bounds write that can overwrite adjacent memory, potentially leading to a crash or, if exploited in a particular way, arbitrary code execution. The vulnerability is a classic bounds\u2011check error (CWE\u2011193).", "risk_and_exploitability": "CVSS score of 5.9 and an EPSS score of less than 1% indicate moderate severity yet a low likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalogue, suggesting no widespread public attacks have been observed. The most likely attack path involves an attacker supplying a crafted font file to an application that reads fonts via fontconfig, triggering the off\u2011by\u2011one write during sfnt capability handling and potentially causing a crash or arbitrary code execution. All exploit conditions remain theoretical pending public evidence."}}}}, "created": "2026-03-25T21:46:45.549586+00:00", "updated": "2026-03-29T20:28:22.858569+00:00", "vendors": ["fontconfig_project", "fontconfig_project$PRODUCT$fontconfig"]}