CVE-2026-23865
- Source
- https://cve.org/CVERecord?id=CVE-2026-23865
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23865.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23865
- Downstream
- Related
- Published
- 2026-03-02T17:16:32.100Z
- Modified
- 2026-04-12T20:23:14.038569Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
An integer overflow in the ttvarloaditemvariation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.
- References
Affected packages
Git / gitlab.com/freetype/freetype
Affected ranges
- Type
- GIT
- Repo
- https://gitlab.com/freetype/freetype
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
BETA-5
BETA-6
BETA-7
BETA-8
DATE-050920
PRE-2-0-1
PRE-2-0-6
RELEASE-2-0
VER-2-0
VER-2-0-1
VER-2-0-2
VER-2-0-2-TEST
VER-2-0-3
VER-2-0-4
VER-2-0-5
VER-2-0-6
VER-2-0-7
VER-2-0-8
VER-2-1-0
VER-2-1-1
VER-2-1-1-RC1
VER-2-1-10
VER-2-1-2
VER-2-1-2-RC1
VER-2-1-3
VER-2-1-3-RC1
VER-2-1-3-RC2
VER-2-1-3-RC3
VER-2-1-4
VER-2-1-4-RC1
VER-2-1-4-RC2
VER-2-1-5-RC1
VER-2-1-6
VER-2-1-7
VER-2-1-8
VER-2-1-8-RC1
VER-2-1-9
VER-2-10-0
VER-2-10-1
VER-2-10-2
VER-2-10-3
VER-2-10-4
VER-2-11-0
VER-2-11-1
VER-2-12-0
VER-2-12-1
VER-2-13-0
VER-2-13-1
VER-2-13-2
VER-2-13-3
VER-2-14-0
VER-2-14-1
VER-2-2-0
VER-2-2-0-RC1
VER-2-2-0-RC2
VER-2-2-0-RC3
VER-2-2-0-RC4
VER-2-2-1
VER-2-3-0
VER-2-3-0-FINAL
VER-2-3-0-RC1
VER-2-3-0-RC2
VER-2-3-1
VER-2-3-1-FINAL
VER-2-3-10
VER-2-3-11
VER-2-3-12
VER-2-3-2
VER-2-3-3
VER-2-3-4
VER-2-3-5
VER-2-3-5-REAL
VER-2-3-6
VER-2-3-7
VER-2-3-8
VER-2-3-9
VER-2-4-0
VER-2-4-1
VER-2-4-10
VER-2-4-11
VER-2-4-12
VER-2-4-12-beta
VER-2-4-2
VER-2-4-3
VER-2-4-4
VER-2-4-5
VER-2-4-6
VER-2-4-7
VER-2-4-8
VER-2-4-9
VER-2-5-0
VER-2-5-0-1
VER-2-5-1
VER-2-5-2
VER-2-5-3
VER-2-5-4
VER-2-5-5
VER-2-6
VER-2-6-1
VER-2-6-2
VER-2-6-3
VER-2-6-4
VER-2-7
VER-2-7-1
VER-2-8
VER-2-8-1
VER-2-9
VER-2-9-1
VER-2-BETA2
VER-2-BETA3
VER-2-BETA4
freetype
freetype2
import
start
Database specific
vanir_signatures_modified
"2026-04-12T20:23:14Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23865.json"
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2026-23865-2ac371c1",
"source": "https://gitlab.com/freetype/freetype@fc85a255849229c024c8e65f536fe1875d84841c",
"signature_version": "v1",
"target": {
"file": "src/truetype/ttgxvar.c",
"function": "tt_var_load_item_variation_store"
},
"digest": {
"length": 4105.0,
"function_hash": "371595557651698550721007698133082557"
}
},
{
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2026-23865-91cf58e3",
"source": "https://gitlab.com/freetype/freetype@fc85a255849229c024c8e65f536fe1875d84841c",
"signature_version": "v1",
"target": {
"file": "src/truetype/ttgxvar.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"173775725118845386785921971932501480943",
"217990528756814337641523475873168464252",
"256299278966677633404315659859596614456",
"131613146236841817417653859910863912020",
"64709015543735491674836162189416750751",
"31847057092482650765499423577043743340",
"77677376389532582855417806035044380397",
"251390016063463307935723584293454852956"
]
}
}
]