CVE-2026-23865

Published: March 2nd, 2026

An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.

MEDIUM
CVSS v3: 5.3

Status

DocFilters Release	Package	State	Justification	Comment
0.0.0.1	freetype (2.13.3)	Resolved	Code Not Present	Patched applied from https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
26.1.1	freetype (2.13.3)	Needs Triage
26.1	freetype (2.13.3)	Needs Triage
25.4	freetype (2.13.3)	Needs Triage
25.3	freetype (2.13.3)	Needs Triage
25.2	freetype (2.13.3)	Needs Triage
25.1.2	freetype (2.13.3)	Resolved	Code Not Present	Patched applied from https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
25.1.1	freetype (2.13.3)	Needs Triage
25.1	freetype (2.6.5)	Needs Triage
24.4	freetype (2.6.5)	Needs Triage
24.4.0	freetype (2.6.5)	Needs Triage
24.3	freetype (2.6.5)	Needs Triage
24.2.1	freetype (2.6.5)	Needs Triage
24.2	freetype (2.6.5)	Needs Triage
24.1	freetype (2.6.5)	Needs Triage
23.3	freetype (2.6.5)	Needs Triage
23.2.1	freetype (2.6.5)	Needs Triage
23.2	freetype (2.6.5)	Needs Triage
23.1	freetype (2.6.5)	Needs Triage
22.4	freetype (2.6.5)	Needs Triage
22.3	freetype (2.6.5)	Needs Triage
22.2	freetype (2.6.5)	Needs Triage
22.1	freetype (2.6.5)	Needs Triage
21.11.1	freetype (2.6.5)	Needs Triage
21.11	freetype (2.6.5)	Needs Triage
21.8.1	freetype (2.6.5)	Needs Triage
21.8	freetype (2.6.5)	Needs Triage

Severity score breakdown

Attack Complexity

LOW

Attack Vector

LOCAL

Availability Impact

LOW

Base Score

5.3

Base Severity

MEDIUM

Confidentiality Impact

LOW

Integrity Impact

LOW

Privileges Required

NONE

Scope

UNCHANGED

User Interaction

REQUIRED

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Version

3.1

References

NVD
MITRE