Описание
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
A null pointer dereference vector has been discovered in the harfbuzz package. A null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh:1672-1673. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault.
Отчет
This MODERATE severity null pointer dereference in the HarfBuzz library may cause a denial of service (segmentation fault) when memory allocation fails in hb_malloc. The issue affects Red Hat products that include and link against HarfBuzz, such as OpenJDK builds with the java.desktop module and certain RHEL components like Firefox and Thunderbird. The java-17-openjdk-headless and java-21-openjdk-headless packages do not include java.desktop and do not link against HarfBuzz; therefore, headless-only environments are not affected.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of OpenJDK 11 ELS | java-11-openjdk | Fix deferred | ||
| Red Hat build of OpenJDK 11 ELS | java-11-openjdk-portable | Fix deferred | ||
| Red Hat build of OpenJDK 17 | java-17-openjdk-portable | Fix deferred | ||
| Red Hat build of OpenJDK 21 | java-21-openjdk-portable | Fix deferred | ||
| Red Hat build of OpenJDK 25 | java-25-openjdk-portable | Fix deferred | ||
| Red Hat Enterprise Linux 10 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 10 | harfbuzz | Fix deferred | ||
| Red Hat Enterprise Linux 10 | java-21-openjdk | Fix deferred | ||
| Red Hat Enterprise Linux 10 | java-25-openjdk | Fix deferred | ||
| Red Hat Enterprise Linux 10 | thunderbird | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.
Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS
HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null poi ...
EPSS
5.3 Medium
CVSS3