{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-10T05:53:21Z",
  "bugzilla" : {
    "description" : "harfbuzz: Null Pointer Dereference in harfbuzz",
    "id" : "2428439",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2428439"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.", "A null pointer dereference vector has been discovered in the harfbuzz package. A null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh:1672-1673. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault." ],
  "statement" : "This MODERATE severity null pointer dereference in the HarfBuzz library may cause a denial of service (segmentation fault) when memory allocation fails in hb_malloc.\nThe issue affects Red Hat products that include and link against HarfBuzz, such as OpenJDK builds with the java.desktop module and certain RHEL components like Firefox and Thunderbird.\nThe java-17-openjdk-headless and java-21-openjdk-headless packages do not include java.desktop and do not link against HarfBuzz; therefore, headless-only environments are not affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7701",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "harfbuzz-main-14.1.0-2.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of OpenJDK 11 ELS",
    "fix_state" : "Fix deferred",
    "package_name" : "java-11-openjdk",
    "cpe" : "cpe:/a:redhat:openjdk_els:11"
  }, {
    "product_name" : "Red Hat build of OpenJDK 11 ELS",
    "fix_state" : "Fix deferred",
    "package_name" : "java-11-openjdk-portable",
    "cpe" : "cpe:/a:redhat:openjdk_els:11"
  }, {
    "product_name" : "Red Hat build of OpenJDK 17",
    "fix_state" : "Fix deferred",
    "package_name" : "java-17-openjdk-portable",
    "cpe" : "cpe:/a:redhat:openjdk:17"
  }, {
    "product_name" : "Red Hat build of OpenJDK 21",
    "fix_state" : "Fix deferred",
    "package_name" : "java-21-openjdk-portable",
    "cpe" : "cpe:/a:redhat:openjdk:21"
  }, {
    "product_name" : "Red Hat build of OpenJDK 25",
    "fix_state" : "Fix deferred",
    "package_name" : "java-25-openjdk-portable",
    "cpe" : "cpe:/a:redhat:openjdk:25"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "harfbuzz",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "java-21-openjdk",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "java-25-openjdk",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "harfbuzz",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "harfbuzz",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "java-17-openjdk",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "java-21-openjdk",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mingw-harfbuzz",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "harfbuzz",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "java-17-openjdk",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "java-21-openjdk",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "java-25-openjdk",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-22693\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22693\nhttps://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae\nhttps://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww" ],
  "name" : "CVE-2026-22693",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}