CVE-2025-15271
Unknown Unknown - Not Provided
Improper Array Index Validation in FontForge SFD Leads to RCE

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: Zero Day Initiative

Description
FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28562.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15271
EUVD
EUVD-2025-205896
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fontforge fontforge *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15271 is a remote code execution vulnerability in FontForge that occurs due to improper validation of array indices when parsing SFD files. This flaw allows an attacker to write past the end of an allocated array by supplying malicious data. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious webpage, and enables the attacker to execute arbitrary code with the privileges of the current user. [1]

Impact Analysis

This vulnerability can allow remote attackers to execute arbitrary code on your system with the privileges of the current user. This can lead to unauthorized access, data theft, system compromise, or disruption of services. Since the attack requires user interaction, the risk arises when a user opens a malicious file or visits a malicious webpage. The high CVSS score of 8.8 indicates a severe impact on confidentiality, integrity, and availability. [1]

Mitigation Strategies

To mitigate this vulnerability, avoid opening untrusted SFD files or visiting untrusted webpages that could contain malicious FontForge files. Ensure that your FontForge installation is updated with any patches provided by the vendor addressing this issue. Additionally, restrict user privileges to limit the impact of potential exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart