https://bugzilla.redhat.com/show_bug.cgi?id=2036820
--- Comment #6 from Parag Nemade pnemade@redhat.com --- Yesterday I spend good amount of time on this CVE issue and concluded that those Feodra/RHEL releases which have only harfbuzz-2.9.0 build are affected. So actually No Fedora release is affected by this CVE. The code got introduced and fixed between 2.9.0 to 2.9.1 upstream release.
So this CVE is actually NOTABUG.