Skip to main content

libXfont2 EUVDEUVD-2026-42210

| CVE-2026-56001 HIGH
Heap-based Buffer Overflow (CWE-122)
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (CNA) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

X Server client access is normally local and authorized, so AV:L/PR:L; low-complexity trigger via font scaling yields AC:L and full code execution gives C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 09, 2026 - 20:02 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 20:01 vuln.today
v4 (cvss_changed)
CVSS changed
Jul 09, 2026 - 19:52 NVD
8.5 (HIGH) 8.8 (HIGH)
Patch available
Jul 08, 2026 - 10:01 EUVD
Analysis Updated
Jul 08, 2026 - 09:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 09:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 09:22 vuln.today
cvss_changed
CVSS changed
Jul 08, 2026 - 09:22 NVD
8.5 (HIGH)
Analysis Generated
Jul 08, 2026 - 02:24 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the BitmapScaleBitmaps routine, where a 32-bit size calculation overflows during bitmap font scaling. Any client able to connect to the X Server and request scaled bitmap fonts can corrupt heap memory and run code within the X server's process context, which is frequently privileged. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authorized X Server client access
Delivery
Request scaled bitmap font
Exploit
Overflow 32-bit size in BitmapScaleBitmaps
Execution
Write past undersized heap buffer
Persist
Groom heap and hijack control flow
Impact
Execute code in X server context

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already have the ability to connect to the target X Server as a client (AV:N/PR:L in the CVSS vector indicates authorized-but-low-privilege access, not anonymous access), and to trigger the vulnerable code path by requesting a scaled bitmap font that drives the 32-bit size calculation in BitmapScaleBitmaps to overflow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed together rather than taken from the CVSS number alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local or otherwise authorized X client (for example a low-privileged user on a shared Linux workstation, or a compromised desktop application) requests a bitmap font scaled to a size that triggers the 32-bit size overflow in BitmapScaleBitmaps, undersizing a heap buffer. The subsequent out-of-bounds write corrupts X server heap memory and is groomed into control of execution, running attacker code in the X server process - often more privileged than the requesting client. …
Remediation Upgrade libXfont2 to version 2.0.8 or later, which contains the corrected size arithmetic - Vendor-released patch: 2.0.8. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running libXfont2 and determine current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-6462 CRITICAL POC
9.3 Jan 09

Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 al

CVE-2015-1804 HIGH
8.5 Mar 20

The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper

CVE-2026-56003 HIGH
8.8 Jul 08

Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X serve

CVE-2026-56002 HIGH
8.8 Jul 08

Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X

CVE-2015-1802 HIGH
8.5 Mar 20

The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote a

CVE-2015-1803 HIGH
8.5 Mar 20

The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not proper

CVE-2014-0211 HIGH
7.5 May 15

Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org

CVE-2014-0210 HIGH
7.5 May 15

Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execu

CVE-2017-13722 HIGH
7.1 Oct 11

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary

CVE-2017-13720 HIGH
7.1 Oct 11

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with acce

CVE-2017-16611 MEDIUM
5.5 Dec 01

In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as roo

CVE-2014-0209 MEDIUM
4.6 May 15

Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4

Share

EUVD-2026-42210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy