FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.
Max CVSS
7.5
EPSS Score
0.36%
Published
2022-04-22
Updated
2024-02-29
FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.
Max CVSS
7.5
EPSS Score
0.27%
Published
2022-04-22
Updated
2024-02-29
FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.
Max CVSS
9.8
EPSS Score
0.88%
Published
2022-04-22
Updated
2024-02-29
CVE-2020-15999
Known exploited
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Max CVSS
6.5
EPSS Score
2.55%
Published
2020-11-03
Updated
2024-02-15
CISA KEV Added
2021-11-03
An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.
Max CVSS
6.5
EPSS Score
0.32%
Published
2018-02-13
Updated
2021-01-26
FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.
Max CVSS
9.8
EPSS Score
0.95%
Published
2017-04-27
Updated
2021-01-26
FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.
Max CVSS
9.8
EPSS Score
1.18%
Published
2017-04-24
Updated
2021-01-26
FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.
Max CVSS
9.8
EPSS Score
0.91%
Published
2017-04-14
Updated
2021-01-26
FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
Max CVSS
9.8
EPSS Score
1.35%
Published
2017-04-14
Updated
2021-01-26
FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
Max CVSS
9.8
EPSS Score
0.91%
Published
2017-04-14
Updated
2021-01-26
FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.
Max CVSS
9.8
EPSS Score
0.93%
Published
2017-04-14
Updated
2021-03-26
The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.
Max CVSS
7.8
EPSS Score
0.93%
Published
2017-03-06
Updated
2021-01-26
FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.
Max CVSS
6.5
EPSS Score
0.45%
Published
2019-09-03
Updated
2023-02-23
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.
Max CVSS
6.5
EPSS Score
0.58%
Published
2019-09-03
Updated
2019-09-10
FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.
Max CVSS
8.8
EPSS Score
1.25%
Published
2019-09-03
Updated
2019-09-10
In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.
Max CVSS
9.8
EPSS Score
0.62%
Published
2019-07-30
Updated
2019-08-15
The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font.
Max CVSS
7.5
EPSS Score
1.69%
Published
2016-06-07
Updated
2016-06-08
The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.
Max CVSS
9.8
EPSS Score
2.55%
Published
2016-06-07
Updated
2018-07-19
The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
Max CVSS
7.5
EPSS Score
2.53%
Published
2015-02-08
Updated
2018-10-30
Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
Max CVSS
6.8
EPSS Score
2.90%
Published
2015-02-08
Updated
2018-10-30
Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table.
Max CVSS
6.8
EPSS Score
1.16%
Published
2015-02-08
Updated
2018-10-30
The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.
Max CVSS
7.5
EPSS Score
3.69%
Published
2015-02-08
Updated
2018-10-30
sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.
Max CVSS
6.8
EPSS Score
2.45%
Published
2015-02-08
Updated
2018-10-30
The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.
Max CVSS
6.8
EPSS Score
1.89%
Published
2015-02-08
Updated
2018-10-30
The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.
Max CVSS
7.5
EPSS Score
3.86%
Published
2015-02-08
Updated
2018-10-30