Skip to main content

Fontconfig CVE-2026-34085

| EUVDEUVD-2026-15934 MEDIUM
Off-by-one Error (CWE-193)
2026-03-25 mitre
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 17:17 euvd
EUVD-2026-15934
Analysis Generated
Mar 25, 2026 - 17:17 vuln.today
CVE Published
Mar 25, 2026 - 16:54 nvd
MEDIUM 5.9

DescriptionCVE.org

fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.

AnalysisAI

An off-by-one error in fontconfig before version 2.17.1 allows a one-byte out-of-bounds write in the FcFontCapabilities function within fcfreetype.c during sfnt capability handling. This vulnerability affects all versions of fontconfig prior to 2.17.1 across multiple platforms, potentially enabling local attackers without special privileges to crash the application or execute arbitrary code. A patch is available through the official fontconfig GitLab repository, and given the memory corruption nature of the defect, exploitation is feasible on systems with fontconfig-dependent applications.

Technical ContextAI

Fontconfig is a fundamental font configuration and customization library used across Linux desktop environments and applications for font discovery and rendering. The vulnerability resides in the FcFontCapabilities function in fcfreetype.c, which handles SFNT (Spline Font) capability detection—a standard font format that includes TrueType and OpenType fonts. The root cause is classified as CWE-193 (Off-by-one Error), a boundary condition weakness that results in an allocation being one byte smaller than required. When processing specially crafted SFNT font files, the insufficient buffer causes a write operation to exceed allocated memory by exactly one byte, triggering potential heap corruption. The affected CPE (cpe:2.3:a:fontconfig:fontconfig:*:*:*:*:*:*:*:*) indicates all versions prior to 2.17.1 are vulnerable, making this a widespread concern across Linux distributions and applications embedding fontconfig.

RemediationAI

Immediately upgrade fontconfig to version 2.17.1 or later using your system package manager (apt upgrade fontconfig on Debian/Ubuntu, dnf upgrade fontconfig on Fedora, etc.) or by building from the official repository at https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446. For systems where immediate patching is not feasible, restrict processing of untrusted font files by disabling custom font loading in user-facing applications, implementing strict file type validation before passing fonts to fontconfig, and enforcing sandboxing or containerization to limit the scope of local code execution. Web browsers should enable sandbox profiles that restrict font file access, and systems processing user-supplied documents (PDF readers, office suites) should be updated as a priority since they commonly invoke fontconfig for font discovery.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-34085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy