CVE-2026-23865
Integer Overflow in Freetype Causes Out-of-Bounds Read
Publication date: 2026-03-02
Last updated on: 2026-05-01
Assigner: Facebook, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freetype | freetype | From 2.13.2 (inc) to 2.13.3 (inc) |
| freetype | freetype | From 2.14.0 (inc) to 2.14.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability is an integer overflow in the FreeType library's function tt_var_load_item_variation_store, affecting versions 2.13.2 and 2.13.3. It occurs when parsing HVAR, VVAR, or MVAR tables in OpenType variable fonts. Specifically, the multiplication of two unsigned integers used to calculate the size of an array can overflow, leading to an incorrect allocation size. This can cause an out of bounds read operation, potentially resulting in memory corruption or unexpected behavior."}, {'type': 'paragraph', 'content': 'The issue is fixed in version 2.14.2 by adding a check that verifies the multiplication did not overflow before proceeding with memory allocation.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to an out of bounds read operation due to improper memory allocation caused by integer overflow. Such memory corruption can potentially be exploited to cause application crashes, data leakage, or other unintended behavior when processing specially crafted OpenType variable fonts.
Since the vulnerability requires local access (attack vector is local) and user interaction, the risk is moderate, but it can still impact the stability and security of applications using the vulnerable FreeType versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is related to an integer overflow in the FreeType library when parsing certain OpenType variable font tables. Detection would typically involve verifying the version of the FreeType library installed on your system.'}, {'type': 'paragraph', 'content': 'You can check the installed FreeType version using the following command on Unix-like systems:'}, {'type': 'list_item', 'content': 'freetype-config --version'}, {'type': 'paragraph', 'content': 'If the version is 2.13.2 or 2.13.3, your system is vulnerable. Versions 2.14.2 and later contain the fix.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring application logs for debug messages such as "tt_var_load_item_variation_store: bad delta set array size" could indicate attempts to trigger the vulnerability, as this message is logged when the overflow check fails.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade the FreeType library to version 2.14.2 or later, where the integer overflow issue has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting or sanitizing input fonts, especially those containing HVAR, VVAR, or MVAR tables, to prevent processing potentially malicious variable fonts.'}, {'type': 'paragraph', 'content': 'Also, monitor application logs for the debug message "tt_var_load_item_variation_store: bad delta set array size" which indicates detection of the overflow condition and aborted operation.'}] [1]