CVE-2022-27404Out-of-bounds Write in Freetype

CWE-787Out-of-bounds Write15 documents10 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 68.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
FreetypeDebian FreetypeFedoraproject Fedora+8 more
Timeline
PublishedApr 22
Latest updateApr 10

Description

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages11 packages

debiandebian/freetype< freetype 2.11.1+dfsg-2 (bookworm)
NVDfreetype/freetype< 2.12.0
Debianfreetype/freetype< 2.10.4+dfsg-1+deb11u1+3

Also affects: Fedora 34, 35, 36

Patches

Patch: gitlab.freedesktop.orgPatch: gitlab.freedesktop.org

🔴Vulnerability Details

2
GHSA
GHSA-22wv-f9f6-xwwm: FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face2022-04-23
OSV
CVE-2022-27404: FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face2022-04-22

📋Vendor Advisories

8
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS2024-04-10
Oracle
Oracle Oracle Supply Chain Risk Matrix: Security (FreeType) — CVE-2022-274042023-07-15
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Document Viewing using Outside In technology (FreeType) — CVE-2022-274042023-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (FreeType) — CVE-2022-274042023-01-15
Ubuntu
FreeType vulnerabilities2022-07-20

🕵️Threat Intelligence

4
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review2023-07-19
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys2023-07-19
Qualys
Oracle Security Updates: Critical Patch April 2023 Advisory | Qualys2023-04-19
Qualys
Oracle Patch Tuesday April 2023 Security Update Review2023-04-19