Home

CVE-2026-23865

Description

An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score
Exploitation Probability
0.014

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are affected in Oracle GraalVM Enterprise Edition 21.3.17Windows
Multiple vulnerabilities are affected in Java(TM) SE Development Kit 25 (MSI) (x64) 25.0.2Windows
Multiple vulnerabilities are affected in Java(TM) SE Development Kit 21 (x64) 21.0.10Windows
Multiple vulnerabilities are fixed in Azul Zulu JDK 8 (MSI) 8.94.0.18Windows
Multiple vulnerabilities are fixed in Azul Zulu JDK 8 (MSI) (x64) 8.94.0.18Windows
Multiple vulnerabilities are fixed in Azul Zulu JDK 11 (MSI) (x64) 11.88.18Windows
Multiple vulnerabilities are fixed in Azul Zulu JDK 17 17.66.20Windows
Multiple vulnerabilities are fixed in Azul Zulu JDK 17 (x64) 17.66.20Windows
Multiple vulnerabilities are fixed in Azul Zulu JDK 21 (MSI) (x64) 21.50.20Windows
Multiple vulnerabilities are fixed in Azul Zulu JDK 25 (MSI) (x64) 25.34.18Windows
Multiple vulnerabilities are affected in Java SE Development Kit 11 (64-bit) 11.0.30Windows
Multiple vulnerabilities are affected in Java SE Development Kit 17 17.0.18Windows

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-358344Java(TM) SE Development Kit 25 (MSI) (x64) (25.0.3)
PATCH-358343Java(TM) SE Development Kit 21 (x64) (21.0.11)
PATCH-358388Java SE Development Kit 11 (64-bit) (11.0.31) (Manual Upload Required)
PATCH-358380Java SE Development Kit 17 (17.0.19) (Manual Upload Required)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234