Bug 2428439 (CVE-2026-22693)

Summary: CVE-2026-22693 harfbuzz: Null Pointer Dereference in harfbuzz
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, fferrari, fitzsim, gotiwari, jgrulich, jhorak, khosford, mvyas, neugens, pjindal, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A null pointer dereference vector has been discovered in the harfbuzz package. A null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh:1672-1673. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2429270, 2429271, 2429272, 2429273, 2429274, 2429275, 2429276, 2429278, 2429279, 2429280, 2429281, 2429282, 2429283, 2429285, 2429287, 2429289, 2429290, 2429291, 2429292, 2429293, 2429294, 2429296, 2429277, 2429284, 2429286, 2429288, 2429295, 2429297    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-10 06:02:14 UTC 
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
Comment 2 Parag Nemade 2026-01-14 02:58:30 UTC 
Well there is no information at all in this bug or parent bug about what this CVE is and how to reproduce it and what its severity is....

At least do some good work by adding needed information in description of relevant bugs.