Harfbuzz Project Harfbuzz — known CVE vulnerabilities
Every CVE whose affected-product data names Harfbuzz Project Harfbuzz, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (8)
CVE-2024-56732 — CVSS 8.8 (high): HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hb_cairo_glyphs_from_buf…
CVE-2016-2052 — CVSS 7.6 (high): Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a…
CVE-2015-8947 — CVSS 7.6 (high): hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly…
CVE-2023-25193 — CVSS 7.5 (high): hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of…
CVE-2015-9274 — CVSS 6.5 (medium): HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of…
CVE-2021-45931 — CVSS 6.5 (medium): HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and…
CVE-2022-33068 — CVSS 5.5 (medium): An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via…
CVE-2026-22693 — CVSS 5.3 (medium): HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::cr…