Bug 2426433 (CVE-2025-15278)

Summary: CVE-2025-15278 fontforge: FontForge: Arbitrary Code Execution via XBM file parsing integer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FontForge. This integer overflow vulnerability, located in the parsing of pixels within XBM (X BitMap) files, allows a remote attacker to execute arbitrary code. The issue arises from insufficient validation of user-supplied data, which can lead to an integer overflow before memory allocation. Successful exploitation requires user interaction, such as opening a malicious XBM file, and results in arbitrary code execution in the context of the current process.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2426592, 2426596    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-31 08:02:06 UTC 
FontForge GUtils XBM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of pixels within XBM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27865.