GHSA-3v92-8994-jg8p
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Requires an authenticated X client (PR:L) and, realistically, local access to the X server (AV:L); crafted-but-simple font trigger (AC:L) yields full code execution in the server, so C/I/A all High.
Primary rating from Vendor (CNA).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9Description PRE-NVD
AnalysisAI
Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X server via a maliciously crafted PCF bitmap font. The flaw sits in ComputeScaledProperties(), where a missing bounds check on the property buffer allows a heap overflow (CWE-122) that runs in the X server's security context - typically root on traditional Linux desktops. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be an authenticated X client (PR:L) able to submit or reference a crafted PCF bitmap font that the vulnerable X server parses via libXfont2's ComputeScaledProperties() - i.e., the legacy PCF/bitmap font-loading path must be reachable and enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to serious-but-not-emergency priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated but low-privilege user on a shared Linux workstation connects as an X client and requests loading of a specially crafted PCF font whose property table exceeds the allocated buffer. When ComputeScaledProperties() processes it, the heap overflow corrupts X server memory, letting the attacker escalate to the X server's privileges (often root). … |
| Remediation | Vendor-released patch: upgrade libXfont2 to 2.0.8 or later, which contains the three upstream fixes (freedesktop.org GitLab commits be0b08e2d354138d3222b4490e2a77c6ee42f778, dff957a5158da038a282a59a31fe736702732939, and b4389e0b1d84a690b819bb27b1439968811a3674); apply your distribution's updated package as soon as it is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running libXfont2 prior to version 2.0.8 and assess X11 exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 al
The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper
Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X
Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the
The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote a
The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper
Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execu
In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary
In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with acce
In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as roo
Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42212