REDHAT-BUG-2426423: Use After Free
FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2426423?
The severity of REDHAT-BUG-2426423 is critical due to its potential for remote code execution.
How do I fix REDHAT-BUG-2426423?
To fix REDHAT-BUG-2426423, update to the latest version of FontForge that includes the patch for this vulnerability.
Who is affected by REDHAT-BUG-2426423?
Users of FontForge are affected by REDHAT-BUG-2426423, particularly those who can be tricked into opening malicious SFD files.
What type of vulnerability is REDHAT-BUG-2426423?
REDHAT-BUG-2426423 is classified as a use-after-free vulnerability that can lead to remote code execution.
Is user interaction required to exploit REDHAT-BUG-2426423?
Yes, user interaction is required, as the target must visit a malicious page or open a compromised SFD file.