Source: harfbuzz Version: 12.3.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for harfbuzz. CVE-2026-22693[0]: | HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null | pointer dereference vulnerability exists in the | SubtableUnicodesCache::create function located in src/hb-ot-cmap- | table.hh. The function fails to check if hb_malloc returns NULL | before using placement new to construct an object at the returned | pointer address. When hb_malloc fails to allocate memory (which can | occur in low-memory conditions or when using custom allocators that | simulate allocation failures), it returns NULL. The code then | attempts to call the constructor on this null pointer using | placement new syntax, resulting in undefined behavior and a | Segmentation Fault. This issue has been patched in version 12.3.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-22693 https://www.cve.org/CVERecord?id=CVE-2026-22693 [1] https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww [2] https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae Please adjust the affected versions in the BTS as needed. Regards, Salvatore
