CVE-2015-9274 — Out-of-bounds Read in Project Harfbuzz

CWE-125 — Out-of-bounds Read CWE-400 — Uncontrolled Resource Consumption7 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 32.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Harfbuzz Project Harfbuzz Debian Harfbuzz

Timeline

PublishedNov 15

Latest updateNov 28

Description

HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/harfbuzz< harfbuzz 1.2.6-1 (bookworm)

▶NVDharfbuzz_project/harfbuzz< 1.0.4

▶Debianharfbuzz_project/harfbuzz< 1.2.6-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-95rc-6f28-2jcq: HarfBuzz before 1↗2022-05-14

▶

OSV

CVE-2015-9274: HarfBuzz before 1↗2018-11-15

▶

📋Vendor Advisories

Ubuntu

HarfBuzz vulnerability↗2022-11-28

▶

Red Hat

harfbuzz: DoS due to GPOS and GSUB table mishandling↗2015-09-29

▶

Debian

CVE-2015-9274: harfbuzz - HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (inva...↗2015

▶

💬Community

Bugzilla

CVE-2015-9274 harfbuzz: DoS due to GPOS and GSUB table mishandling↗2018-11-21

▶