{"vulnerability": "GHSA-C55G-RP4X-FX84", "sightings": [{"uuid": "d0d76828-b014-4358-a8f5-3bf9c905d732", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-C55G-RP4X-FX84", "type": "seen", "source": "https://gist.github.com/alon710/f7ea0e610f42bb6c81fff1ec9bb3b2bd", "content": "# GHSA-C55G-RP4X-FX84: GHSA-C55G-RP4X-FX84: Integer Overflow and Out-of-Bounds Access in DirectX Tool Kit SpriteFont Parser\n\n> **CVSS Score:** 7.8\n> **Published:** 2026-05-18\n> **Full Report:** https://cvereports.com/reports/GHSA-C55G-RP4X-FX84\n\n## Summary\nThe Microsoft DirectX Tool Kit (DirectXTK and DirectXTK12) contains an integer overflow vulnerability in its SpriteFont parsing implementation, specifically affecting 32-bit application builds. The flaw resides in the `DirectX::BinaryReader::ReadArray` template function, where a multiplication operation using 32-bit arithmetic wraps around when processing maliciously crafted `.spritefont` files. This miscalculation circumvents pointer arithmetic safety checks, leading to out-of-bounds memory access. Successful exploitation allows an attacker to achieve memory corruption or information disclosure within the application parsing the untrusted file.\n\n## TL;DR\nA 32-bit integer overflow in the DirectX Tool Kit's `BinaryReader::ReadArray` function allows crafted `.spritefont` files to bypass size validation. This leads to heap buffer overflows or out-of-bounds reads when parsing maliciously structured font files on 32-bit architectures.\n\n## Technical Details\n\n- **CWE ID**: CWE-190\n- **Attack Vector**: Local/Remote via Crafted File\n- **CVSS Score**: 7.8\n- **Vulnerability Impact**: Out-of-Bounds Memory Access\n- **Architecture Dependency**: 32-bit only (x86, ARM32)\n- **Exploit Status**: None documented\n\n## Affected Systems\n\n- Microsoft DirectXTK (32-bit builds)\n- Microsoft DirectXTK12 (32-bit builds)\n- Applications parsing .spritefont files using affected library versions\n- **DirectXTK**: < May 2026 (Fixed in: `May 2026`)\n- **DirectXTK12**: < May 2026 (Fixed in: `May 2026`)\n\n## Mitigation\n\n- Update to the May 2026 release of DirectXTK and DirectXTK12.\n- Migrate application compilation targets from 32-bit (x86/ARM32) to 64-bit (x64/ARM64).\n- Implement file size and structural bounds validation for user-supplied asset files before parsing.\n\n**Remediation Steps:**\n1. Identify all projects utilizing the DirectXTK or DirectXTK12 libraries.\n2. Update the dependency references or source submodules to the May 2026 release tags.\n3. Clean the build environment and recompile the entire application to ensure the updated `BinaryReader.h` template is instantiated.\n4. Deploy the updated 32-bit binaries to end-users.\n\n## References\n\n- [GitHub Advisory: GHSA-C55G-RP4X-FX84](https://github.com/advisories/GHSA-C55G-RP4X-FX84)\n- [DirectXTK Fix Commit](https://github.com/microsoft/DirectXTK/commit/ef1bd5d7f492c39dd0cd87493ba8ea38725c9791)\n- [DirectXTK12 Fix Commit](https://github.com/microsoft/DirectXTK12/commit/ef1bd5d7f492c39dd0cd87493ba8ea38725c9791)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-C55G-RP4X-FX84) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T16:40:50.000000Z"}]}