Bug 2429278 - CVE-2026-22693 harfbuzz: Null Pointer Dereference in harfbuzz [fedora-42]
Summary: CVE-2026-22693 harfbuzz: Null Pointer Dereference in harfbuzz [fedora-42]
Keywords:
Status: ON_QA
Alias: None
Product: Fedora
Classification: Fedora
Component: harfbuzz
Version: 42
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Parag Nemade
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["9a132224-d774-465d-b84b-e...
Depends On:
Blocks: CVE-2026-22693
TreeView+ depends on / blocked
 
Reported: 2026-01-13 19:11 UTC by Jon Moroney
Modified: 2026-01-15 01:52 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:
pnemade: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-2946 0 None None None 2026-01-14 03:00:10 UTC

Description Jon Moroney 2026-01-13 19:11:45 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Ben Beasley 2026-01-13 20:31:23 UTC 
https://src.fedoraproject.org/rpms/harfbuzz/pull-request/11
Comment 2 Parag Nemade 2026-01-14 02:57:49 UTC 
Well there is no information at all in this bug or parent bug about what this CVE is and how to reproduce it and what its severity is....
Comment 3 Ben Beasley 2026-01-14 06:56:27 UTC 
(In reply to Parag Nemade from comment #2)
> Well there is no information at all in this bug or parent bug about what
> this CVE is and how to reproduce it and what its severity is....

I agree, these bugs are horribly unhelpful. I ended up looking at this because I had bugs filed on python-uharfbuzz, apparently just because it has “harfbuzz” in the name. It removes the bundled harfbuzz in %prep and builds against the system harfbuzz, so there’s nothing to be done in python-uharfbuzz. That kind of sloppy targeting on these reports is also unhelpful.

Looking up CVE-2026-22693 in cve.org leads to https://www.cve.org/CVERecord?id=CVE-2026-22693, and that leads to https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww, which has a reasonable amount of detail. (These links should be in the bugs to start with!)

This kind of bug (a null-pointer dereference after a memory-allocation failure resulting in undefined behaviour) doesn’t seem likely to have much impact in practice in hosted environments where virtual memory overcommit is enabled and most applications aren’t prepared to handle allocation failures gracefully. Sure, absolutely anything can happen once undefined behavior comes into play, but in this case there doesn’t seem to be much room for anything other than a null pointer dereference and ensuing program termination.

Then again, the fix https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae was very straightforward and trivial to backport, so I figured, why not open PRs?
Comment 4 Parag Nemade 2026-01-14 12:13:54 UTC 
Ben,
Your contribution is always welcome and helpful to Fedora. Just that these Security people don't do their work fully while reporting CVE bugs.
Comment 5 Fedora Update System 2026-01-14 12:43:34 UTC 
FEDORA-2026-bac983cf83 (harfbuzz-10.4.0-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-bac983cf83
Comment 6 Fedora Update System 2026-01-15 01:52:13 UTC 
FEDORA-2026-bac983cf83 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-bac983cf83`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-bac983cf83

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Note You need to log in before you can comment on or make changes to this bug.