CVE-2016-5384
HIGH7.8EPSS 0.26%fontconfig - security update
Published: 8/13/2016Modified: 4/28/2026
Also known as:DEBIAN-CVE-2016-5384
Description
fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.
Affected packages (3)
- Debian/fontconfigfrom 0, < 2.11.0-6.5
- Debian/fontconfigfrom 0, < 2.9.0-7.1+deb7u1
- Debian/fontconfigfrom 0, < 2.11.0-6.3+deb8u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |