Hi, On Sat, Jan 10, 2026 at 08:16:59PM +0100, أحمد المحمودي wrote: > On Sat, Jan 10, 2026 at 02:08:43PM +0100, Salvatore Bonaccorso wrote: > > Source: harfbuzz > > Version: 12.3.0-3 > > > > CVE-2026-22693[0]: > > | HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null > > | pointer dereference vulnerability exists in the > > | SubtableUnicodesCache::create function located in src/hb-ot-cmap- > > | table.hh. The function fails to check if hb_malloc returns NULL > > | before using placement new to construct an object at the returned > > | pointer address. When hb_malloc fails to allocate memory (which can > > | occur in low-memory conditions or when using custom allocators that > > | simulate allocation failures), it returns NULL. The code then > > | attempts to call the constructor on this null pointer using > > | placement new syntax, resulting in undefined behavior and a > > | Segmentation Fault. This issue has been patched in version 12.3.0. > ---end quoted text--- > > If the CVE has been fixed in 12.3.0, why is the bug filed against > 12.3.0-3 ?
Because the CVE description looks wrong. Looking at the code the patch is https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae . This change is not in 12.3.0 upstream and not in 12.3.0-3. Regards, Salvatore
