CVE-2026-22693
Unknown Unknown - Not Provided
Null Pointer Dereference in HarfBuzz Causes Potential Crash

Publication date: 2026-01-10

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-02-18
Generated
2026-05-07
AI Q&A
2026-01-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22693
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
harfbuzz_project harfbuzz to 12.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to a Denial of Service (DoS) condition. When the null pointer dereference occurs, it causes a segmentation fault that crashes the application using HarfBuzz, potentially disrupting font processing and any dependent services or applications. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for segmentation faults or crashes in applications using HarfBuzz, especially those related to font processing. Using AddressSanitizer (ASAN) with fuzzing enabled can reproduce the issue by simulating memory allocation failures. A proof-of-concept is available in the HarfBuzz fuzzing tests (test/fuzzing/repro.cc). Specific commands would involve running the vulnerable application under ASAN with fuzzing enabled to trigger the null pointer dereference. For example, compiling the application with ASAN and running the fuzzing tests can help detect the vulnerability. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade HarfBuzz to version 12.3.0 or later, where the vulnerability has been patched by adding a null check after memory allocation in the SubtableUnicodesCache::create function. If upgrading is not immediately possible, monitoring for crashes and avoiding low-memory conditions or custom allocators that simulate allocation failures may reduce the risk. Applying the patch from the commit identified by SHA 1265ff8 (https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae) is also a direct fix. [1]


Can you explain this vulnerability to me?

CVE-2026-22693 is a null pointer dereference vulnerability in the HarfBuzz text shaping engine, specifically in the SubtableUnicodesCache::create function. The function allocates memory using hb_malloc but does not check if the allocation returned NULL before using placement new to construct an object at that memory address. If hb_malloc fails (e.g., due to low memory), it returns NULL, and the code then attempts to construct an object at this null pointer, causing undefined behavior and a segmentation fault. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart