CVE-2026-23865

Published: March 6, 2026Last modified: March 13, 2026

Description

An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.

Severity score breakdown

Parameter	Value
Base score	5.3
Attack Vector	LOCAL
Attack complexity	LOW
Privileges required	NONE
User interaction	REQUIRED
Scope	UNCHANGED
Confidentiality	LOW
Integrity impact	LOW
Availability impact	LOW
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	freetype	Unknown (2.12.1-r0)
	25 LTS	freetype	Unknown (2.13.3-r0)
	Stream	freetype	Fixed (2.14.2-r0)
Hardened Containers	23 LTS	freetype	Unknown (2.12.1-r0)
	25 LTS	freetype	Unknown (2.13.3-r0)
	Stream	freetype	Unknown (2.13.0-r6)

References

http://www.openwall.com/lists/oss-security/2026/03/03/8
https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/
https://www.facebook.com/security/advisories/cve-2026-23865