Issued:: 2026-02-05
Updated:: 2026-02-05

RHSA-2026:2039 - Security Advisory

Overview
Updated Packages

Synopsis

Important: fontforge security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for fontforge is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

FontForge is a font editor for outline and bitmap fonts. It supports a range of font formats, including PostScript (ASCII and binary Type 1, some Type 3 and Type 0), TrueType, OpenType (Type2) and CID-keyed fonts.

Security Fix(es):

fontforge: FontForge: Remote Code Execution via heap-based buffer overflow in BMP file parsing (CVE-2025-15279)
fontforge: FontForge: Remote Code Execution via Use-After-Free in SFD file parsing (CVE-2025-15269)
fontforge: FontForge: Arbitrary code execution via SFD file parsing buffer overflow (CVE-2025-15275)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat CodeReady Linux Builder for x86_64 9 x86_64
Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x

Fixes

BZ - 2426421 - CVE-2025-15279 fontforge: FontForge: Remote Code Execution via heap-based buffer overflow in BMP file parsing
BZ - 2426423 - CVE-2025-15269 fontforge: FontForge: Remote Code Execution via Use-After-Free in SFD file parsing
BZ - 2426429 - CVE-2025-15275 fontforge: FontForge: Arbitrary code execution via SFD file parsing buffer overflow

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat CodeReady Linux Builder for x86_64 9

SRPM
fontforge-20201107-7.el9_7.src.rpm	SHA-256: 340fd6cd6897707f297141a169d09bc64133f4afd7daad70f1ac58637c27d40c
x86_64
fontforge-20201107-7.el9_7.i686.rpm	SHA-256: 6ecc78538417d9a742decbd47b17107d137ef43558d508cb1950c46e046aaed0
fontforge-20201107-7.el9_7.x86_64.rpm	SHA-256: 2432c031a9d50406345b6d022749a5c9069cada97689c831e8a5f42a76deee64
fontforge-debuginfo-20201107-7.el9_7.i686.rpm	SHA-256: cffd65b486dd864294644d7bc36ba24348a6f17423e11af2b02c016383ee9aca
fontforge-debuginfo-20201107-7.el9_7.x86_64.rpm	SHA-256: 8963471bc38d0129491c040e8bba29526f87730e94c0ac1b60a0697855a8bb28
fontforge-debugsource-20201107-7.el9_7.i686.rpm	SHA-256: 9d4b35321cdf248ecb239217ebc6462d7e1112f971c38902d6386894f7e33f06
fontforge-debugsource-20201107-7.el9_7.x86_64.rpm	SHA-256: fa68de54e9947b26f94a7785ced81741318324c516279e2c459d8222d1410614

Red Hat CodeReady Linux Builder for Power, little endian 9

SRPM
fontforge-20201107-7.el9_7.src.rpm	SHA-256: 340fd6cd6897707f297141a169d09bc64133f4afd7daad70f1ac58637c27d40c
ppc64le
fontforge-20201107-7.el9_7.ppc64le.rpm	SHA-256: 4ae63fcb476b14def9f7c6cfecf2ee01c38074f1d89782f0daabd71404b8d227
fontforge-debuginfo-20201107-7.el9_7.ppc64le.rpm	SHA-256: 6e944e01b3935f008e20dd2b428491c58aa385c572002fef6bf6c5f5f063241d
fontforge-debugsource-20201107-7.el9_7.ppc64le.rpm	SHA-256: fbcc3232ad940f22436ce823dbb3e61d3cc0e93c5314cf8e06bbc4c6458e99b3

Red Hat CodeReady Linux Builder for ARM 64 9

SRPM
fontforge-20201107-7.el9_7.src.rpm	SHA-256: 340fd6cd6897707f297141a169d09bc64133f4afd7daad70f1ac58637c27d40c
aarch64
fontforge-20201107-7.el9_7.aarch64.rpm	SHA-256: c5e208b05515a2df5c0fbf1cf59f30e0e8e44cb636c968457b1a0f7d94f95400
fontforge-debuginfo-20201107-7.el9_7.aarch64.rpm	SHA-256: 8d48d579de25bd648b50d042fb66fbf726d4c28d7cc327a157feeb80c9c4c1e0
fontforge-debugsource-20201107-7.el9_7.aarch64.rpm	SHA-256: d19470e52f1952801b9ae074a3b9a3b2a5d4b366e2c0500cdb068f4b7234e1d4

Red Hat CodeReady Linux Builder for IBM z Systems 9

SRPM
fontforge-20201107-7.el9_7.src.rpm	SHA-256: 340fd6cd6897707f297141a169d09bc64133f4afd7daad70f1ac58637c27d40c
s390x
fontforge-20201107-7.el9_7.s390x.rpm	SHA-256: f7efc6f69a6d11f07aae3aeb1e6f075d0fa598038eaff4f05fa1c05b6cc49f56
fontforge-debuginfo-20201107-7.el9_7.s390x.rpm	SHA-256: a2f36f5c374730f13b1fd85c34bf9389e0664f0ef99e75f3682f3c7d7e8ec22d
fontforge-debugsource-20201107-7.el9_7.s390x.rpm	SHA-256: a4a7f006c1ecb6f3873d0acadfe4f991aa5aad26cffe1176c71062353a650f4a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation