GHSA-j726-7g32-78m6
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
X Server client access is normally local and authorized, so AV:L/PR:L; low-complexity trigger via font scaling yields AC:L and full code execution gives C:H/I:H/A:H.
Primary rating from Vendor (CNA).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9Description PRE-NVD
AnalysisAI
Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the BitmapScaleBitmaps routine, where a 32-bit size calculation overflows during bitmap font scaling. Any client able to connect to the X Server and request scaled bitmap fonts can corrupt heap memory and run code within the X server's process context, which is frequently privileged. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already have the ability to connect to the target X Server as a client (AV:N/PR:L in the CVSS vector indicates authorized-but-low-privilege access, not anonymous access), and to trigger the vulnerable code path by requesting a scaled bitmap font that drives the 32-bit size calculation in BitmapScaleBitmaps to overflow. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be weighed together rather than taken from the CVSS number alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local or otherwise authorized X client (for example a low-privileged user on a shared Linux workstation, or a compromised desktop application) requests a bitmap font scaled to a size that triggers the 32-bit size overflow in BitmapScaleBitmaps, undersizing a heap buffer. The subsequent out-of-bounds write corrupts X server heap memory and is groomed into control of execution, running attacker code in the X server process - often more privileged than the requesting client. … |
| Remediation | Upgrade libXfont2 to version 2.0.8 or later, which contains the corrected size arithmetic - Vendor-released patch: 2.0.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running libXfont2 and determine current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 al
The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper
Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X serve
Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X
The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote a
The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper
Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execu
In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary
In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with acce
In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as roo
Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42210