CVE 8.8 HIGH

FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability_CVE-2025-15273

December 31, 2025 invoker category_cve
8.8 / 10
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of PFB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28546.

AI Analysis

Stack-based buffer overflow in FontForge PFB file parsing allows remote code execution

Basic Information

ID CVE-2025-15273
Source zdi
Published Dec 31, 2025 at 06:59

Affected Product

Vendor FontForge
Product FontForge
Version aca4f524c6cb14cdc7bc4cd493492a33f5154797
Affected Versions FontForge FontForge aca4f524c6cb14cdc7bc4cd493492a33f5154797

CWE Classification

CWE-121

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor FontForge
Product FontForge
Version aca4f524c6cb14cdc7bc4cd493492a33f5154797

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.