PT-2022-4310 · Harfbuzz+10 · Harfbuzz+10

Pietroborrello

·

Published

2022-06-22

·

Updated

2025-09-19

·

CVE-2022-33068

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Harfbuzz version 4.3.0
Description The issue is related to an integer overflow in the hb-ot-shape-fallback.cc component of the Harfbuzz library, which can be exploited by attackers to cause a Denial of Service (DoS) via unspecified vectors. This can be achieved by sending specially crafted data to the application, resulting in an integer overflow and potentially leading to a crash.
Recommendations For Harfbuzz version 4.3.0, consider updating to a newer version that includes a fix for the integer overflow issue in the hb-ot-shape-fallback.cc component. As a temporary workaround, restrict the input data to prevent specially crafted requests from causing the integer overflow.

Exploit

Fix

DoS

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

ALSA-2022:8384
BDU:2022-05166
CESA-2022_7000
CESA-2022_7012
CVE-2022-33068
OESA-2022-1777
OPENSUSE-SU-2022:2663-1
OPENSUSE-SU-2022_2663-1
OPENSUSE-SU-2022_2664-1
OPENSUSE-SU-2024:12168-1
RHSA-2022:6999
RHSA-2022:7000
RHSA-2022:7012
RHSA-2022:7013
RHSA-2022:8384
RHSA-2022_6999
RHSA-2022_7000
RHSA-2022_7012
RHSA-2022_7013
RHSA-2022_8384
RLSA-2022:8384
SUSE-SU-2022:2663-1
SUSE-SU-2022:2664-1
SUSE-SU-2022_2663-1
SUSE-SU-2022_2664-1
USN-5524-1

Affected Products

Almalinux
Astra Linux
Centos
Debian
Harfbuzz
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu