CVE-2024-56732 — Heap-based Buffer Overflow in Harfbuzz

CWE-122 — Heap-based Buffer Overflow5 documents5 sources

Severity

9.3CRITICALNVD

EPSS

0.3%

top 51.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Harfbuzz Project Harfbuzz Debian Harfbuzz Harfbuzz +3 more

Timeline

PublishedDec 27

Latest updateJan 16

Description

HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hb_cairo_glyphs_from_buffer function.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages6 packages

▶debiandebian/harfbuzz< harfbuzz 10.1.0-2 (forky)

▶Debianharfbuzz_project/harfbuzz< 10.1.0-2+1

▶CVEListV5harfbuzz/harfbuzz>= 8.5.0, <= 10.0.1

▶msrcmsrc/azl3_harfbuzz_8.3.0-3_on_azure_linux_3.0

▶msrcmsrc/azl3_qtbase_6.6.3-2_on_azure_linux_3.0

🔴Vulnerability Details

OSV

CVE-2024-56732: HarfBuzz is a text shaping engine↗2024-12-27

▶

📋Vendor Advisories

Ubuntu

HarfBuzz vulnerability↗2025-01-16

▶

Microsoft

HarfBuzz heap-buffer-overflow on hb_cairo_glyphs_from_buffer↗2024-12-10

▶

Debian

CVE-2024-56732: harfbuzz - HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is ...↗2024

▶