Fontconfig Project Fontconfig — known CVE vulnerabilities
Every CVE whose affected-product data names Fontconfig Project Fontconfig, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (2)
CVE-2016-5384 — CVSS 7.8 (high): fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct…
CVE-2026-34085 — CVSS 5.9 (medium): fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write…