{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T16:54:37Z", "bugzilla" : { "description" : "fontconfig: Fontconfig: Security flaw allows arbitrary code execution or system crash", "id" : "2451414", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451414" }, "cvss3" : { "cvss3_base_score" : "6.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-193", "details" : [ "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.", "A flaw was found in fontconfig. This vulnerability, an off-by-one error in how fontconfig handles font capabilities, could allow a local attacker to cause a one-byte out-of-bounds write. This issue may lead to a system crash, resulting in a Denial of Service (DoS), or potentially enable the attacker to execute unauthorized code." ], "statement" : "This vulnerability is rated Moderate severity by Red Hat Product Security. The issue arises from a memory handling flaw in font processing, which can cause applications such as fc-cache to crash when processing a specially crafted font file.\nExploitation requires a user to install or process a malicious font, meaning the issue cannot be triggered remotely without user interaction. While the crash may disrupt system functionality: for example, affecting graphical login services or applications that rely on font rendering, the impact is limited to application stability.\nThe underlying flaw involves a very small memory overwrite (one byte), which significantly limits the ability to exploit it for more serious outcomes such as executing arbitrary code or fully compromising the system. There is no evidence that the vulnerability can be reliably used to gain control over a system or access sensitive data.\nRed Hat therefore assesses the primary impact as a denial of service in user-space components, resulting in a Moderate severity rating.", "affected_release" : [ { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13722", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "fontconfig-main-2.17.1-0.1.hum1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "fontconfig", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "fontconfig", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "fontconfig", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "fontconfig", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "mingw-fontconfig", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "fontconfig", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34085\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34085\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481" ], "name" : "CVE-2026-34085", "mitigation" : { "value" : "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability.", "lang" : "en:us" }, "csaw" : false }