CVE-2026-23865 PUBLISHED

Assigner: Meta
Reserved: 16.01.2026 Published: 02.03.2026 Updated: 04.03.2026

An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C
CVSS Score: 5.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	FreeType
Product	FreeType
Versions	Default: affected affected from 2.13.2 to 2.13.3 (incl.) affected from 2.14.0 to 2.14.1 (incl.)

References

https://www.facebook.com/security/advisories/cve-2026-23865
https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/

Problem Types

CWE-125: Out of Bounds Read