FontForge
Moderate fix1 remedy
cpe:2.3:a:fontforge:fontforge:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- <= 20230101
FontForge Memory Leak Vulnerability in DlgCreate8 Component
Vulnerability
Patched
A memory leak vulnerability has been identified in FontForge versions through 20230101, specifically within the DlgCreate8 function. This leak was detected using LeakSanitizer, which reported a direct leak of 40 bytes from a single allocation. The issue arises when the software processes certain font files, leading to increased memory usage that is not properly released.
Impact
Exploitation of this vulnerability causes a memory leak, which can lead to a denial-of-service condition by exhausting available memory resources.
Reproduction
The vulnerability can be reproduced by compiling FontForge with AddressSanitizer and Undefined Behavior Sanitizer enabled, using AFL (American Fuzzy Lop) as the compiler. After compiling and installing the application, FontForge can be run with a command that opens a specific font file using the FontForge scripting language. This process triggers the memory leak in the DlgCreate8 function.
Remediation
Users can upgrade to the latest version of FontForge, where this vulnerability has been fixed.
Added: Oct 23, 2025, 4:18 PM
Updated: Oct 23, 2025, 5:24 PM
Vulnerability Rating
Custom Algorithm
spread
5.4impact
2.5exploitability
6.0remediation
7.7relevance
0.8threat
6.4urgency
2.9incentive
0.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.