[Bug 2429278] New: CVE-2026-22693 harfbuzz: Null Pointer Dereference in harfbuzz [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
Bug ID: 2429278 Summary: CVE-2026-22693 harfbuzz: Null Pointer Dereference in harfbuzz [fedora-42] Product: Fedora Version: 42 Status: NEW Whiteboard: {"flaws": ["9a132224-d774-465d-b84b-e175909efd82"]} Component: harfbuzz Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: pnemade@redhat.com Reporter: jmoroney@redhat.com QA Contact: extras-qa@fedoraproject.org CC: i18n-bugs@lists.fedoraproject.org, kalevlember@gmail.com, moceap@hotmail.com, pnemade@redhat.com Blocks: 2428439 Target Milestone: --- Classification: Fedora
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
Ben Beasley code@musicinmybrain.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |code@musicinmybrain.net
--- Comment #1 from Ben Beasley code@musicinmybrain.net --- https://src.fedoraproject.org/rpms/harfbuzz/pull-request/11
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
--- Comment #2 from Parag Nemade pnemade@redhat.com --- Well there is no information at all in this bug or parent bug about what this CVE is and how to reproduce it and what its severity is....
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
Parag Nemade pnemade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |mirror+
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
Red Hat One Jira (issues.redhat.com) redhat-one-jira@bot.bugzilla.redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Issue Tracker | |FC-2946
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
--- Comment #3 from Ben Beasley code@musicinmybrain.net --- (In reply to Parag Nemade from comment #2)
Well there is no information at all in this bug or parent bug about what this CVE is and how to reproduce it and what its severity is....
I agree, these bugs are horribly unhelpful. I ended up looking at this because I had bugs filed on python-uharfbuzz, apparently just because it has “harfbuzz” in the name. It removes the bundled harfbuzz in %prep and builds against the system harfbuzz, so there’s nothing to be done in python-uharfbuzz. That kind of sloppy targeting on these reports is also unhelpful.
Looking up CVE-2026-22693 in cve.org leads to https://www.cve.org/CVERecord?id=CVE-2026-22693, and that leads to https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww, which has a reasonable amount of detail. (These links should be in the bugs to start with!)
This kind of bug (a null-pointer dereference after a memory-allocation failure resulting in undefined behaviour) doesn’t seem likely to have much impact in practice in hosted environments where virtual memory overcommit is enabled and most applications aren’t prepared to handle allocation failures gracefully. Sure, absolutely anything can happen once undefined behavior comes into play, but in this case there doesn’t seem to be much room for anything other than a null pointer dereference and ensuing program termination.
Then again, the fix https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae... was very straightforward and trivial to backport, so I figured, why not open PRs?
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
--- Comment #4 from Parag Nemade pnemade@redhat.com --- Ben, Your contribution is always welcome and helpful to Fedora. Just that these Security people don't do their work fully while reporting CVE bugs.
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED
--- Comment #5 from Fedora Update System updates@fedoraproject.org --- FEDORA-2026-bac983cf83 (harfbuzz-10.4.0-2.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-bac983cf83
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #6 from Fedora Update System updates@fedoraproject.org --- FEDORA-2026-bac983cf83 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-bac983cf83` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-bac983cf83
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2429278
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ERRATA Fixed In Version| |harfbuzz-10.4.0-2.fc42 Status|ON_QA |CLOSED Last Closed| |2026-01-28 01:26:02
--- Comment #7 from Fedora Update System updates@fedoraproject.org --- FEDORA-2026-bac983cf83 (harfbuzz-10.4.0-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
i18n-bugs@lists.fedoraproject.org
-
bugzilla@redhat.com