CVE-2026-23865
MEDIUM5.3EPSS 0.02%freetype - security update
發布日:2026/3/2修改日:2026/5/8
描述
An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.
受影響套件(5)
- Bitnami/java>= 9.0.0, < 11.0.31, >= 12.0.0, < 17.0.19, >= 18.0.0, < 21.0.11, >= 22.0.0, < 25.0.3, >= 26.0.0, < 26.0.1
- Bitnami/java-min>= 9.0.0, < 11.0.31, >= 12.0.0, < 17.0.19, >= 18.0.0, < 21.0.11, >= 22.0.0, < 25.0.3, >= 26.0.0, < 26.0.1
- Bitnami/jre>= 9.0.0, < 11.0.31, >= 12.0.0, < 17.0.19, >= 18.0.0, < 21.0.11, >= 22.0.0, < 25.0.3, >= 26.0.0, < 26.0.1
- Debian/freetypefrom 0, < 2.13.3+dfsg-1+deb13u1
- Debian/freetypefrom 0, < 2.13.3+dfsg-1+deb13u1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
參考連結(6)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-23865
- WEBhttps://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-23865
- WEBhttps://sourceforge.net/projects/freetype/files/freetype2/2.14.2/
- WEBhttps://www.facebook.com/security/advisories/cve-2026-23865
- WEBhttp://www.openwall.com/lists/oss-security/2026/03/03/8