{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-34085", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-25T16:54:36.761Z", "datePublished": "2026-03-25T16:54:37.187Z", "dateUpdated": "2026-03-27T14:57:45.810Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "fontconfig", "vendor": "fontconfig", "versions": [{"lessThan": "2.17.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-193", "description": "CWE-193 Off-by-one Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T16:56:57.003Z"}, "references": [{"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:57:39.116564Z", "id": "CVE-2026-34085", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:57:45.810Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-34085", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-25T16:54:36.761Z", "datePublished": "2026-03-25T16:54:37.187Z", "dateUpdated": "2026-03-27T14:57:45.810Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "fontconfig", "vendor": "fontconfig", "versions": [{"lessThan": "2.17.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-193", "description": "CWE-193 Off-by-one Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T16:56:57.003Z"}, "references": [{"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446"}, {"url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34085", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:57:39.116564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:57:42.596Z"}}]}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fontconfig_project:fontconfig:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDEDDD40-A23D-475A-BF45-FEB2A50FA1DE", "versionEndExcluding": "2.17.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c."}, {"lang": "es", "value": "fontconfig anterior a 2.17.1 tiene un error de uno en la asignaci\u00f3n durante el manejo de capacidades sfnt, lo que lleva a una escritura fuera de l\u00edmites de un byte, y potencialmente a un fallo o ejecuci\u00f3n de c\u00f3digo. Esto se encuentra en FcFontCapabilities en fcfreetype.c."}], "id": "CVE-2026-34085", "lastModified": "2026-03-27T21:39:33.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-03-25T17:17:09.210", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446"}, {"source": "[email protected]", "tags": ["Issue Tracking"], "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "fontconfig: Fontconfig: Security flaw allows arbitrary code execution or system crash", "id": "2451414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451414"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-193", "details": ["A flaw was found in fontconfig. This vulnerability, an off-by-one error in how fontconfig handles font capabilities, could allow a local attacker to cause a one-byte out-of-bounds write. This issue may lead to a system crash, resulting in a Denial of Service (DoS), or potentially enable the attacker to execute unauthorized code."], "mitigation": {"lang": "en:us", "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability."}, "name": "CVE-2026-34085", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mingw-fontconfig", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "fontconfig", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T16:54:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34085\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34085\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446\nhttps://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.17.1)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "fontconfig", "source": "cna", "vendor": "fontconfig"}, "product": "fontconfig", "vendor": "fontconfig_project"}], "analysis": {"en": {"generated_at": "2026-03-25T19:09:24.796472+00:00", "value": {"mitigation_remediation": ["Upgrade fontconfig to version 2.17.1 or later to eliminate the flawed code path.", "If an immediate upgrade is not possible, restrict or validate the font files that applications load to reduce the chance of triggering the overflow.", "Stay informed by monitoring fontconfig releases and security advisories for any further guidance or patches."], "summary": {"action": "Apply Patch", "impact": "Potential Code Execution"}, "threat_synthesis": {"affected_systems": "All versions of fontconfig older than 2.17.1 are affected. Systems that link against this library\u2014Linux desktop environments, X11 servers, and any application that loads font files\u2014could be impacted. The product name is fontconfig; no specific vendor names are provided. ", "description_and_impact": "fontconfig, the default font configuration library on Linux and related systems, contains an off\u2011by\u2011one error in the sfnt capability handler. The flaw permits a one\u2011byte write past the end of a buffer, which can corrupt memory and may result in either a crash or execution of arbitrary code. The defect is classified as an off\u2011by\u2011one error (CWE\u2011193).", "risk_and_exploitability": "The CVSS score is 5.9, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, so current exploitation visibility is limited. The likely attack vector is local, inferred from the fact that the flaw is triggered when fontconfig processes font files that an application or service is able to provide. If an attacker supplies a crafted font, the out\u2011of\u2011bounds write could terminate the consuming process or, in the worst case, lead to code execution with the process\u2019s privileges."}}}}, "created": "2026-03-25T21:46:45.549586+00:00", "title": "Off-by-One Vulnerability in Fontconfig May Enable Code Execution", "updated": "2026-03-26T11:34:28.391226+00:00", "vendors": ["fontconfig_project", "fontconfig_project$PRODUCT$fontconfig"]}