ubuntu-cve-2026-22693
Vulnerability from osv_ubuntu
Published
2026-01-10 06:15
Modified
2026-04-22 07:57
Summary
Details
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
Severity
5.3 (Medium)
N/A (UNKNOWN)
References
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "gir1.2-harfbuzz-0.0",
"binary_version": "8.3.0-2build2"
},
{
"binary_name": "libharfbuzz-bin",
"binary_version": "8.3.0-2build2"
},
{
"binary_name": "libharfbuzz-cairo0",
"binary_version": "8.3.0-2build2"
},
{
"binary_name": "libharfbuzz-gobject0",
"binary_version": "8.3.0-2build2"
},
{
"binary_name": "libharfbuzz-icu0",
"binary_version": "8.3.0-2build2"
},
{
"binary_name": "libharfbuzz-subset0",
"binary_version": "8.3.0-2build2"
},
{
"binary_name": "libharfbuzz0b",
"binary_version": "8.3.0-2build2"
}
],
"priority_reason": "This is a DoS that isn\u0027t attacker-controlled"
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "harfbuzz",
"purl": "pkg:deb/ubuntu/harfbuzz@8.3.0-2build2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.1-1",
"8.0.1-1build1",
"8.3.0-2",
"8.3.0-2build1",
"8.3.0-2build2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "gir1.2-harfbuzz-0.0",
"binary_version": "10.2.0-1"
},
{
"binary_name": "libharfbuzz-bin",
"binary_version": "10.2.0-1"
},
{
"binary_name": "libharfbuzz-cairo0",
"binary_version": "10.2.0-1"
},
{
"binary_name": "libharfbuzz-gobject0",
"binary_version": "10.2.0-1"
},
{
"binary_name": "libharfbuzz-icu0",
"binary_version": "10.2.0-1"
},
{
"binary_name": "libharfbuzz-subset0",
"binary_version": "10.2.0-1"
},
{
"binary_name": "libharfbuzz0b",
"binary_version": "10.2.0-1"
}
],
"priority_reason": "This is a DoS that isn\u0027t attacker-controlled"
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "harfbuzz",
"purl": "pkg:deb/ubuntu/harfbuzz@10.2.0-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"10.2.0-1"
]
}
],
"aliases": [],
"details": "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.",
"id": "UBUNTU-CVE-2026-22693",
"modified": "2026-04-22T07:57:44Z",
"published": "2026-01-10T06:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-22693"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22693"
},
{
"type": "REPORT",
"url": "https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww"
},
{
"type": "REPORT",
"url": "http://www.openwall.com/lists/oss-security/2026/01/11/1"
}
],
"related": [],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-22693"
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…