CVE-2025-50949
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-10-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fontforge | fontforge | 2023-01-01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50949 is a memory leak vulnerability in the FontForge software, specifically in the function DlgCreate8. The issue causes a 40-byte memory leak because allocated memory is not properly freed, which was detected using LeakSanitizer. This leak can accumulate over time, leading to resource exhaustion. [1]
How can this vulnerability impact me? :
The memory leak in FontForge can lead to resource exhaustion, which may cause the software to crash or become unresponsive, resulting in a Denial of Service (DoS). This can disrupt normal operations when using FontForge. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using LeakSanitizer to monitor FontForge for memory leaks. LeakSanitizer reports direct leaks, such as the 40-byte leak in the `vsmprintf` function called within `DlgCreate8`. Running FontForge under LeakSanitizer and analyzing the output for leaks related to `DlgCreate8` or `vsmprintf` can help identify the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update FontForge to the fixed version available in the master branch as of November 11, 2024, which includes the patch that properly frees the allocated memory in the `DlgCreate8` function. This update eliminates the memory leak and prevents potential Denial of Service. [1]