What is the CVSS score of CVE-2026-22693?

CVE-2026-22693 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.1%.

Which versions of Harfbuzz are affected by CVE-2026-22693?

Organizations using src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL should be aware of moderate risk from CVE-2026-22693, a null pointer dereference vulnerability rated…. A patch is available.

Is there a public PoC exploit available for CVE-2026-22693?

Yes, a public proof-of-concept exploit is available for CVE-2026-22693. Prioritise patching immediately. EPSS: 0.1%.

Harfbuzz CVE-2026-22693

MEDIUM

NULL Pointer Dereference (CWE-476)

2026-01-10 security-advisories@github.com

Null Pointer Dereference Red Hat Harfbuzz Suse

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 17:49 vuln.today

Public exploit code

Patch released

Feb 18, 2026 - 17:49 nvd

Patch available

CVE Published

Jan 10, 2026 - 06:15 nvd

MEDIUM 5.3

DescriptionNVD

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.

AnalysisAI

HarfBuzz text shaping engine versions prior to 12.3.0 crash when the SubtableUnicodesCache::create function attempts to dereference a null pointer returned by failed memory allocation, enabling denial of service in applications processing untrusted font data. Public exploit code exists for this vulnerability. …

RemediationAI

Within 30 days: Identify affected systems running src/hb-ot-cmap-table.hh. The function fails to check if hb_m and apply vendor patches as part of regular patch cycle. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory