CVE-2026-34085
Off-by-One Write in fontconfig Sfnt Handling Causes Code Execution
Publication date: 2026-03-25
Last updated on: 2026-03-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fontconfig_project | fontconfig | to 2.17.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in fontconfig versions before 2.17.1. It is caused by an off-by-one error in memory allocation during the handling of sfnt capabilities in the function FcFontCapabilities within the file fcfreetype.c. This error leads to a one-byte out-of-bounds write, which can potentially cause a crash or allow code execution.
How can this vulnerability impact me? :
The vulnerability can lead to a one-byte out-of-bounds write, which may cause the affected application to crash or, in a worst-case scenario, allow an attacker to execute arbitrary code. This can compromise the stability and security of systems using vulnerable versions of fontconfig.