CVE 8.8 HIGH

FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability_CVE-2025-15280

December 31, 2025 invoker category_cve
8.8 / 10
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28525.

AI Analysis

Remote code execution vulnerability in FontForge due to a use-after-free flaw in SFD file parsing, allowing attackers to execute arbitrary code on affected installations.

Basic Information

ID CVE-2025-15280
Source zdi
Published Dec 31, 2025 at 06:59

Affected Product

Vendor FontForge
Product FontForge
Version aca4f524c6cb14cdc7bc4cd493492a33f5154797
Affected Versions FontForge FontForge aca4f524c6cb14cdc7bc4cd493492a33f5154797

CWE Classification

CWE-416

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor FontForge
Product FontForge
Version aca4f524c6cb14cdc7bc4cd493492a33f5154797

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.