CVE-2010-2497
CVE-2010-2497 is a medium-severity vulnerability in Freetype with a CVSS 2.0 base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-191.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.8)
- EPSS exploit prediction: 6% (92nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-191
- Affected product: Freetype
- Published:
- Last modified:
Description
Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
Frequently asked questions
- What is CVE-2010-2497?
- Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
- How severe is CVE-2010-2497?
- CVE-2010-2497 has a CVSS 2.0 base score of 6.8, rated medium severity.
- Is CVE-2010-2497 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 6% (92nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2010-2497?
- CVE-2010-2497 primarily affects Freetype. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2010-2497?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2010-2497 published?
- CVE-2010-2497 was published on 2010-08-19 and last updated on 2026-06-16.
References
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7d3d2cc4fef72c6be9c454b3809c387e12b44cfc
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- http://lists.nongnu.org/archive/html/freetype/2010-07/msg00001.html
- http://marc.info/?l=oss-security&m=127905701201340&w=2
- http://marc.info/?l=oss-security&m=127909326909362&w=2
- http://secunia.com/advisories/48951
- http://support.apple.com/kb/HT4435
- http://www.debian.org/security/2010/dsa-2070
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:137
- https://bugzilla.redhat.com/show_bug.cgi?id=613154
- https://savannah.nongnu.org/bugs/?30082
- https://savannah.nongnu.org/bugs/?30083
Affected products (3)
- cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
More vulnerabilities in Freetype
- CVE-2012-1126 — Critical (CVSS 10.0): FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to…
- CVE-2022-27404 — Critical (CVSS 9.8): FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the…
- CVE-2015-9290 — Critical (CVSS 9.8): In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is…
- CVE-2017-8287 — Critical (CVSS 9.8): FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the…
- CVE-2017-8105 — Critical (CVSS 9.8): FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the…
- CVE-2017-7864 — Critical (CVSS 9.8): FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the…
Other CWE-191 (Integer Underflow) vulnerabilities
- CVE-2007-0063 — Critical (CVSS 10.0): Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build…
- CVE-2026-53176 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than…
- CVE-2026-37534 — Critical (CVSS 9.8): Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in…
- CVE-2025-52471 — Critical (CVSS 9.8): ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been…
- CVE-2025-29909 — Critical (CVSS 9.8): CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures…
- CVE-2024-47606 — Critical (CVSS 9.8): GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in…