CVE-2026-22693 — NULL Pointer Dereference in Harfbuzz

CWE-476 — NULL Pointer Dereference11 documents7 sources

Severity

7.5HIGHNVD

NVD5.3OSV5.3

EPSS

0.1%

top 78.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Harfbuzz JV Harfbuzz Shaper Harfbuzz Project Harfbuzz +8 more

Timeline

PublishedJan 10

Latest updateJan 19

Description

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The co…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages12 packages

▶NVDjv/harfbuzz< 0.032

▶debiandebian/harfbuzz< harfbuzz 12.3.0-4 (forky)

▶CVEListV5harfbuzz/harfbuzz< 12.3.0

▶CVEListV5jv/harfbuzz_shaper< 0.032

▶NVDharfbuzz_project/harfbuzz< 12.3.0

Patches

Patch: github.com ↗Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

CVE-2026-0943: HarfBuzz::Shaper versions before 0↗2026-01-19

▶

GHSA

GHSA-hmr2-524c-vv28: HarfBuzz::Shaper versions before 0↗2026-01-19

▶

OSV

CVE-2026-22693: HarfBuzz is a text shaping engine↗2026-01-10

▶

📋Vendor Advisories

Microsoft

Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS↗2026-01-13

▶

Red Hat

harfbuzz: Null Pointer Dereference in harfbuzz↗2026-01-10

▶

Debian

CVE-2026-0943: libharfbuzz-shaper-perl - HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with ...↗2026

▶

Debian

CVE-2026-22693: harfbuzz - HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer deref...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0943 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22693 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶