CVE-2026-34085
Published: March 27, 2026Last modified: March 28, 2026
Description
fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | fontconfig | Not affected (2.14.1-r0) |
| 25 LTS | fontconfig | Not affected (2.15.0-r3) | |
| Stream | fontconfig | Not affected (2.17.1-r0) | |
| Hardened Containers | 23 LTS | fontconfig | Not affected (2.14.1-r0) |
| 25 LTS | fontconfig | Not affected (2.15.0-r3) | |
| Stream | fontconfig | Not affected (2.17.1-r0) |