libXfont2 Security Flaws
2026-07-08
Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X server by supplying a malformed PCF font that trips missing glyph bounds checking in pcfReadFont(). Because X servers frequently run with elevated (often root) privileges, a successful exploit can escalate from a low-privileged client to full host compromise. No public exploit is identified at time of analysis and CISA SSVC rates current exploitation as none, but the technical impact is rated total.
Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X server via a maliciously crafted PCF bitmap font. The flaw sits in ComputeScaledProperties(), where a missing bounds check on the property buffer allows a heap overflow (CWE-122) that runs in the X server's security context - typically root on traditional Linux desktops. There is no public exploit identified at time of analysis; EPSS is modest at 0.58% and CISA SSVC rates exploitation as 'none' with 'total' technical impact.
Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the BitmapScaleBitmaps routine, where a 32-bit size calculation overflows during bitmap font scaling. Any client able to connect to the X Server and request scaled bitmap fonts can corrupt heap memory and run code within the X server's process context, which is frequently privileged. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; EPSS is low at 0.37% (29th percentile), consistent with the SSVC finding of no observed exploitation despite total technical impact.