CVE-2024-56732: HarfBuzz heap-buffer-overflow on hb_cairo_glyphs_from_buffer

9.3 CVSS

Description

HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hb_cairo_glyphs_from_buffer function.

Classification

CVE ID: CVE-2024-56732

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

Affected Products

Vendor: harfbuzz

Product: harfbuzz

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-qmp9-xqm5-jh6m
https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26

Timeline

2024-12-28 00:32:01 UTC
CVE

HarfBuzz heap-buffer-overflow on hb_cairo_glyphs_from_buffer
2025-02-26 10:46:31 UTC
Tenable Plugins

Amazon Linux 2023 : harfbuzz, harfbuzz-devel, harfbuzz-icu (ALAS2023-2025-848)