CVE-2025-15273
Stack-Based Buffer Overflow in FontForge PFB Parsing Enables RCE
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fontforge | fontforge | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15273 is a remote code execution vulnerability in FontForge caused by improper validation of the length of user-supplied data when parsing PFB (Printer Font Binary) files. This flaw leads to a stack-based buffer overflow, allowing an attacker to execute arbitrary code with the privileges of the current user. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious webpage. [1]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary code on your system with the privileges of the current user. This could lead to unauthorized actions such as installing malware, stealing data, or taking control of the affected system. Since exploitation requires user interaction, the risk arises when a user opens a malicious file or visits a malicious webpage. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid opening untrusted or suspicious PFB files and do not visit untrusted webpages that might exploit this flaw. Ensure that your FontForge installation is updated with any patches or security updates provided by the vendor once available. Additionally, consider restricting user permissions to limit the impact of potential exploitation. [1]