Skip to main content

libXfont2 CVE-2026-56003

| EUVDEUVD-2026-42212 HIGH
Heap-based Buffer Overflow (CWE-122)
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (CNA) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Requires an authenticated X client (PR:L) and, realistically, local access to the X server (AV:L); crafted-but-simple font trigger (AC:L) yields full code execution in the server, so C/I/A all High.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 09, 2026 - 20:00 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 19:59 vuln.today
v4 (cvss_changed)
CVSS changed
Jul 09, 2026 - 19:52 NVD
8.5 (HIGH) 8.8 (HIGH)
Patch available
Jul 08, 2026 - 11:01 EUVD
Analysis Updated
Jul 08, 2026 - 10:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 10:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
Jul 08, 2026 - 10:22 NVD
8.5 (HIGH)
Analysis Generated
Jul 08, 2026 - 02:20 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X server via a maliciously crafted PCF bitmap font. The flaw sits in ComputeScaledProperties(), where a missing bounds check on the property buffer allows a heap overflow (CWE-122) that runs in the X server's security context - typically root on traditional Linux desktops. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as X client
Delivery
Supply crafted PCF font
Exploit
Overflow property buffer in ComputeScaledProperties
Execution
Corrupt X server heap
Impact
Execute code as X server (root)

Vulnerability AssessmentAI

Exploitation The attacker must be an authenticated X client (PR:L) able to submit or reference a crafted PCF bitmap font that the vulnerable X server parses via libXfont2's ComputeScaledProperties() - i.e., the legacy PCF/bitmap font-loading path must be reachable and enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to serious-but-not-emergency priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated but low-privilege user on a shared Linux workstation connects as an X client and requests loading of a specially crafted PCF font whose property table exceeds the allocated buffer. When ComputeScaledProperties() processes it, the heap overflow corrupts X server memory, letting the attacker escalate to the X server's privileges (often root). …
Remediation Vendor-released patch: upgrade libXfont2 to 2.0.8 or later, which contains the three upstream fixes (freedesktop.org GitLab commits be0b08e2d354138d3222b4490e2a77c6ee42f778, dff957a5158da038a282a59a31fe736702732939, and b4389e0b1d84a690b819bb27b1439968811a3674); apply your distribution's updated package as soon as it is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running libXfont2 prior to version 2.0.8 and assess X11 exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-6462 CRITICAL POC
9.3 Jan 09

Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 al

CVE-2015-1804 HIGH
8.5 Mar 20

The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper

CVE-2026-56002 HIGH
8.8 Jul 08

Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X

CVE-2026-56001 HIGH
8.8 Jul 08

Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the

CVE-2015-1802 HIGH
8.5 Mar 20

The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote a

CVE-2015-1803 HIGH
8.5 Mar 20

The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper

CVE-2014-0211 HIGH
7.5 May 15

Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org

CVE-2014-0210 HIGH
7.5 May 15

Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execu

CVE-2017-13722 HIGH
7.1 Oct 11

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary

CVE-2017-13720 HIGH
7.1 Oct 11

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with acce

CVE-2017-16611 MEDIUM
5.5 Dec 01

In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as roo

CVE-2014-0209 MEDIUM
4.6 May 15

Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4

Share

CVE-2026-56003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy