CVE-2026-23865
Published: March 6, 2026Last modified: May 5, 2026
Description
An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | LOW |
| Availability impact | LOW |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | freetype | Fixed (2.13.3-r1) |
| openjdk11 | Fixed (11.0.31_p11-r0) | ||
| openjdk11-container-jre | Fixed (11.0.31_p11-r0) | ||
| openjdk11-lite | Fixed (11.0.31_p11-r0) | ||
| openjdk17 | Fixed (17.0.19_p11-r0) | ||
| openjdk17-container-jre | Fixed (17.0.19_p11-r0) | ||
| openjdk17-crac | Fixed (17.0.19_p12-r0) | ||
| openjdk17-lite | Fixed (17.0.19_p11-r0) | ||
| openjdk21 | Fixed (21.0.11_p11-r0) | ||
| openjdk21-container-jre | Fixed (21.0.11_p11-r0) | ||
| openjdk21-crac | Fixed (21.0.11_p12-r0) | ||
| openjdk21-lite | Fixed (21.0.11_p11-r0) | ||
| openjdk25 | Fixed (25.0.3_p11-r0) | ||
| openjdk25-container-jre | Fixed (25.0.3_p11-r0) | ||
| openjdk25-lite | Fixed (25.0.3_p11-r0) | ||
| openjdk26 | Fixed (26.0.1_p10-r0) | ||
| openjdk26-container-jre | Fixed (26.0.1_p10-r0) | ||
| openjdk26-lite | Fixed (26.0.1_p10-r0) | ||
| openjdk8 | Fixed (8.492_p9-r0) | ||
| 25 LTS | freetype | Fixed (2.13.3-r1) | |
| openjdk11 | Fixed (11.0.31_p11-r0) | ||
| openjdk11-container-jre | Fixed (11.0.31_p11-r0) | ||
| openjdk11-lite | Fixed (11.0.31_p11-r0) | ||
| openjdk11-perf | Fixed (11.0.31_p12-r0) | ||
| openjdk17 | Fixed (17.0.19_p11-r0) | ||
| openjdk17-container-jre | Fixed (17.0.19_p11-r0) | ||
| openjdk17-crac | Fixed (17.0.19_p12-r0) | ||
| openjdk17-lite | Fixed (17.0.19_p11-r0) | ||
| openjdk21 | Fixed (21.0.11_p11-r0) | ||
| openjdk21-container-jre | Fixed (21.0.11_p11-r0) | ||
| openjdk21-crac | Fixed (21.0.11_p12-r0) | ||
| openjdk21-lite | Fixed (21.0.11_p11-r0) | ||
| openjdk25 | Fixed (25.0.3_p11-r0) | ||
| openjdk25-container-jre | Fixed (25.0.3_p11-r0) | ||
| openjdk25-lite | Fixed (25.0.3_p11-r0) | ||
| openjdk26 | Fixed (26.0.1_p10-r0) | ||
| openjdk26-container-jre | Fixed (26.0.1_p10-r0) | ||
| openjdk26-lite | Fixed (26.0.1_p10-r0) | ||
| openjdk8 | Fixed (8.492_p9-r0) | ||
| openjdk8-perf | Fixed (8.492_p10-r0) | ||
| Stream | freetype | Fixed (2.14.2-r0) | |
| openjdk11 | Fixed (11.0.31_p11-r0) | ||
| openjdk11-container-jre | Fixed (11.0.31_p11-r0) | ||
| openjdk11-lite | Fixed (11.0.31_p11-r0) | ||
| openjdk17 | Fixed (17.0.19_p11-r0) | ||
| openjdk17-container-jre | Fixed (17.0.19_p11-r0) | ||
| openjdk17-crac | Fixed (17.0.19_p12-r0) | ||
| openjdk17-lite | Fixed (17.0.19_p11-r0) | ||
| openjdk21 | Fixed (21.0.11_p11-r0) | ||
| openjdk21-container-jre | Fixed (21.0.11_p11-r0) | ||
| openjdk21-crac | Fixed (21.0.11_p12-r0) | ||
| openjdk21-lite | Fixed (21.0.11_p11-r0) | ||
| openjdk25 | Fixed (25.0.3_p11-r0) | ||
| openjdk25-container-jre | Fixed (25.0.3_p11-r0) | ||
| openjdk25-lite | Fixed (25.0.3_p11-r0) | ||
| openjdk26 | Fixed (26.0.1_p10-r0) | ||
| openjdk26-container-jre | Fixed (26.0.1_p10-r0) | ||
| openjdk26-lite | Fixed (26.0.1_p10-r0) | ||
| openjdk8 | Fixed (8.492_p9-r0) | ||
| Hardened Containers | 23 LTS | freetype | Fixed (2.13.3-r1) |
| openjdk11-container-jre | Fixed (11.0.31_p11-r0) | ||
| openjdk11-lite | Fixed (11.0.31_p11-r0) | ||
| openjdk17-container-jre | Fixed (17.0.19_p11-r0) | ||
| openjdk17-crac | Fixed (17.0.19_p12-r0) | ||
| openjdk17-lite | Fixed (17.0.19_p11-r0) | ||
| openjdk21-container-jre | Fixed (21.0.11_p11-r0) | ||
| openjdk21-crac | Fixed (21.0.11_p12-r0) | ||
| openjdk21-lite | Fixed (21.0.11_p11-r0) | ||
| openjdk25-container-jre | Fixed (25.0.3_p11-r0) | ||
| openjdk25-lite | Fixed (25.0.3_p11-r0) | ||
| openjdk26-container-jre | Fixed (26.0.1_p10-r0) | ||
| openjdk26-lite | Fixed (26.0.1_p10-r0) | ||
| openjdk8 | Fixed (8.492_p9-r0) | ||
| 25 LTS | freetype | Fixed (2.13.3-r1) | |
| openjdk11-container-jre | Fixed (11.0.31_p11-r0) | ||
| openjdk11-lite | Fixed (11.0.31_p11-r0) | ||
| openjdk11-perf | Fixed (11.0.31_p12-r0) | ||
| openjdk17-container-jre | Fixed (17.0.19_p11-r0) | ||
| openjdk17-crac | Fixed (17.0.19_p12-r0) | ||
| openjdk17-lite | Fixed (17.0.19_p11-r0) | ||
| openjdk21-container-jre | Fixed (21.0.11_p11-r0) | ||
| openjdk21-crac | Fixed (21.0.11_p12-r0) | ||
| openjdk21-lite | Fixed (21.0.11_p11-r0) | ||
| openjdk25-container-jre | Fixed (25.0.3_p11-r0) | ||
| openjdk25-lite | Fixed (25.0.3_p11-r0) | ||
| openjdk26-container-jre | Fixed (26.0.1_p10-r0) | ||
| openjdk26-lite | Fixed (26.0.1_p10-r0) | ||
| openjdk8 | Fixed (8.492_p9-r0) | ||
| openjdk8-perf | Fixed (8.492_p10-r0) | ||
| Stream | freetype | Fixed (2.14.2-r0) | |
| openjdk11-container-jre | Fixed (11.0.31_p11-r0) | ||
| openjdk11-lite | Fixed (11.0.31_p11-r0) | ||
| openjdk17-container-jre | Fixed (17.0.19_p11-r0) | ||
| openjdk17-crac | Fixed (17.0.19_p12-r0) | ||
| openjdk17-lite | Fixed (17.0.19_p11-r0) | ||
| openjdk21-container-jre | Fixed (21.0.11_p11-r0) | ||
| openjdk21-crac | Fixed (21.0.11_p12-r0) | ||
| openjdk21-lite | Fixed (21.0.11_p11-r0) | ||
| openjdk25-container-jre | Fixed (25.0.3_p11-r0) | ||
| openjdk25-lite | Fixed (25.0.3_p11-r0) | ||
| openjdk26-container-jre | Fixed (26.0.1_p10-r0) | ||
| openjdk26-lite | Fixed (26.0.1_p10-r0) | ||
| openjdk8 | Fixed (8.492_p9-r0) | ||
| Liberica JDK | 8 | jdk | Fixed (8u492+9) |
| jdk-full | Fixed (8u492+9) | ||
| jdk-lite | Fixed (8u492+9) | ||
| jre | Fixed (8u492+9) | ||
| jre-full | Fixed (8u492+9) | ||
| 11 | jdk | Fixed (11.0.31+11) | |
| jdk-full | Fixed (11.0.31+11) | ||
| jdk-lite | Fixed (11.0.31+11) | ||
| jre | Fixed (11.0.31+11) | ||
| jre-full | Fixed (11.0.31+11) | ||
| 17 | jdk | Fixed (17.0.19+11) | |
| jdk-full | Fixed (17.0.19+11) | ||
| jdk-lite | Fixed (17.0.19+11) | ||
| jre | Fixed (17.0.19+11) | ||
| jre-full | Fixed (17.0.19+11) | ||
| 21 | jdk | Fixed (21.0.11+11) | |
| jdk-full | Fixed (21.0.11+11) | ||
| jdk-lite | Fixed (21.0.11+11) | ||
| jre | Fixed (21.0.11+11) | ||
| jre-full | Fixed (21.0.11+11) | ||
| 25 | jdk | Fixed (25.0.3+11) | |
| jdk-full | Fixed (25.0.3+11) | ||
| jdk-lite | Fixed (25.0.3+11) | ||
| jre | Fixed (25.0.3+11) | ||
| jre-full | Fixed (25.0.3+11) | ||
| 26 | jdk | Fixed (26.0.1+10) | |
| jdk-full | Fixed (26.0.1+10) | ||
| jdk-lite | Fixed (26.0.1+10) | ||
| jre | Fixed (26.0.1+10) | ||
| jre-full | Fixed (26.0.1+10) | ||
| Liberica NIK | 23 (JDK 17) | core | Fixed (23.0.12+1) |
| full | Fixed (23.0.12+1) | ||
| standard | Fixed (23.0.12+1) | ||
| 23 (JDK 21) | core | Fixed (23.1.11+1) | |
| full | Fixed (23.1.11+1) | ||
| standard | Fixed (23.1.11+1) | ||
| 25 (JDK 25) | full | Fixed (25.0.3+1) | |
| standard | Fixed (25.0.3+1) |
References
- http://www.openwall.com/lists/oss-security/2026/03/03/8
- https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
- https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/
- https://www.facebook.com/security/advisories/cve-2026-23865