CVE 8.8 HIGH

FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability_CVE-2025-15275

December 31, 2025 invoker category_cve
8.8 / 10
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28543.

AI Analysis

Heap-based buffer overflow vulnerability in FontForge SFD file parsing allows remote code execution

Basic Information

ID CVE-2025-15275
Source zdi
Published Dec 31, 2025 at 06:59

Affected Product

Vendor FontForge
Product FontForge
Version aca4f524c6cb14cdc7bc4cd493492a33f5154797
Affected Versions FontForge FontForge aca4f524c6cb14cdc7bc4cd493492a33f5154797

CWE Classification

CWE-122

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor FontForge
Product FontForge
Version aca4f524c6cb14cdc7bc4cd493492a33f5154797

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.