CVE-2024-56732

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56732
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56732.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-56732
Aliases
  • GHSA-qmp9-xqm5-jh6m
Downstream
Related
Published
2024-12-27T20:01:50Z
Modified
2025-10-22T18:44:57.151146Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
HarfBuzz heap-buffer-overflow on hb_cairo_glyphs_from_buffer
Details

HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hbcairoglyphsfrombuffer function.

Database specific
{
    "cwe_ids": [
        "CWE-122"
    ]
}
References

Affected packages

Git / github.com/harfbuzz/harfbuzz

Affected ranges

Type
GIT
Repo
https://github.com/harfbuzz/harfbuzz
Events

Affected versions

10.*

10.0.0
10.0.1
10.1.0

8.*

8.5.0

9.*

9.0.0

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26",
        "target": {
            "file": "src/hb-cairo.cc"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2024-56732-5b914a9c",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "101381670642511750136096188759876543934",
                "12328506225129801021064302089383805302",
                "9370185567582852706827665174170357048",
                "251530667908457065473378888393426979852",
                "231478729928795929160394205226603092075",
                "11244936958503034411226117464968572203",
                "180992237101761590960485968278912641051",
                "215467719411840351217369869385557206677"
            ]
        }
    },
    {
        "source": "https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26",
        "target": {
            "file": "src/hb-utf.hh"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2024-56732-801cdbe3",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "78390860345498499146242423266815577269",
                "55489293826008297714441351071652784162",
                "128479798947106510080202640804647196557",
                "315705961088702982388812972126524331888",
                "247383050329611822005849449548914027312",
                "238243990752691766276855339655071917555",
                "120577973873232494587941797694386978605",
                "100608248734269470482305123125152261285",
                "60099835755011667875672851846954975383",
                "131257704116070983605743264938644546021",
                "22711509868529753660226065113097571103",
                "143052093558971162661773531517847057913",
                "78245771089659683804651245657240291549",
                "307905913117117705053509782673422238189",
                "32230662006476164645134078702488004359"
            ]
        }
    },
    {
        "source": "https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26",
        "target": {
            "function": "hb_cairo_glyphs_from_buffer",
            "file": "src/hb-cairo.cc"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2024-56732-d1a78223",
        "signature_type": "Function",
        "digest": {
            "length": 2834.0,
            "function_hash": "145248350772007978017605191606756508181"
        }
    }
]