Bug 2428439 (CVE-2026-22693) - CVE-2026-22693 harfbuzz: Null Pointer Dereference in harfbuzz
Summary: CVE-2026-22693 harfbuzz: Null Pointer Dereference in harfbuzz
Keywords:
Status: NEW
Alias: CVE-2026-22693
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2429270 2429271 2429272 2429273 2429274 2429275 2429276 2429278 2429279 2429280 2429281 2429282 2429283 2429284 2429285 2429287 2429289 2429290 2429291 2429292 2429293 2429294 2429295 2429296 2429277 2429286 2429288 2429297
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-10 06:02 UTC by OSIDB Bzimport
Modified: 2026-01-14 02:58 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-10 06:02:14 UTC 
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
Comment 2 Parag Nemade 2026-01-14 02:58:30 UTC 
Well there is no information at all in this bug or parent bug about what this CVE is and how to reproduce it and what its severity is....

At least do some good work by adding needed information in description of relevant bugs.
Note You need to log in before you can comment on or make changes to this bug.