threat
engine
.sh
Back
·
··:··
Home
/
Product
/
freetype
Product
freetype
95 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-23865
>= 2.13.2 and <= 2.13.3
An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may all
5.3
MEDIUM
CVE-2025-27363
<= 2.13.0
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attemptin
8.1
HIGH
CVE-2025-23022
all versions
FreeType 2.8.1 has a signed integer overflow in cf2_doFlex in cff/cf2intrp.c.
4.0
MEDIUM
CVE-2022-27406
< 2.12.0
FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Re
7.5
HIGH
CVE-2022-27405
< 2.12.0
FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_S
7.5
HIGH
CVE-2022-27404
< 2.12.0
FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_in
9.8
CRITICAL
CVE-2020-15999
>= 2.6.0 and < 2.10.4
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap cor
9.6
CRITICAL
CVE-2015-9383
< 2.6.2
FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.
6.5
MEDIUM
CVE-2015-9382
< 2.6.1
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an
6.5
MEDIUM
CVE-2015-9381
< 2.6.1
FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.
8.8
HIGH
CVE-2015-9290
< 2.6.1
In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check tha
9.8
CRITICAL
CVE-2018-6942
<= 2.9
An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c
6.5
MEDIUM
CVE-2017-8287
<= 2.7.1
FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_con
9.8
CRITICAL
CVE-2017-8105
< 2.7.1
FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_cha
9.8
CRITICAL
CVE-2017-7864
<= 2.7.1
FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset functi
9.8
CRITICAL
CVE-2017-7858
<= 2.7.1
FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_i
9.8
CRITICAL
CVE-2017-7857
>= 2.7 and < 2.8
FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var functi
9.8
CRITICAL
CVE-2016-10328
<= 2.7
FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run funct
9.8
CRITICAL
CVE-2016-10244
< 2.7.1
The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which
7.8
HIGH
CVE-2014-9747
<= 2.5.3
The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for im
7.5
HIGH
CVE-2014-9746
<= 2.5.3
The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_m
9.8
CRITICAL
CVE-2014-9745
<= 2.5.2
The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infin
CVE-2014-9675
<= 2.5.3
bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allo
CVE-2014-9674
<= 2.5.3
The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without valida
CVE-2014-9673
<= 2.5.3
Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers
CVE-2014-9672
<= 2.5.3
Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of
CVE-2014-9671
<= 2.5.3
Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a d
CVE-2014-9670
<= 2.5.3
Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attack
CVE-2014-9669
<= 2.5.3
Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-b
CVE-2014-9668
<= 2.5.3
The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting
CVE-2014-9667
<= 2.5.3
sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remot
CVE-2014-9666
<= 2.5.3
The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without rest
CVE-2014-9665
<= 2.5.3
The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, whi
CVE-2014-9664
<= 2.5.3
FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to caus
CVE-2014-9663
<= 2.5.3
The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's valu
CVE-2014-9662
<= 2.5.3
cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attack
CVE-2014-9661
<= 2.5.3
type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which al
CVE-2014-9660
<= 2.5.3
The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which a
CVE-2014-9659
<= 2.5.3
cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has b
CVE-2014-9658
<= 2.5.3
The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows
CVE-2014-9657
<= 2.5.3
The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allo
CVE-2014-9656
<= 2.5.3
The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow,
CVE-2014-2241
<= 2.5.2
The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not prop
CVE-2014-2240
<= 2.5.2
Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers t
CVE-2012-5670
<= 2.4.10
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-b
CVE-2012-5669
<= 2.4.10
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) a
CVE-2012-5668
<= 2.4.10
FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via ve
CVE-2012-1144
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1143
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1142
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1141
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1140
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1139
<= 2.4.8
Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote atta
CVE-2012-1138
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1137
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1136
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1135
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1134
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1133
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1132
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1131
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attac
CVE-2012-1130
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1129
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1128
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1127
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2012-1126
<= 2.4.8
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a deni
CVE-2011-2895
all versions
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compres
CVE-2011-0226
<= 2.4.5
Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x
CVE-2010-3311
<= 2.3.12
Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause
CVE-2010-3855
<= 2.4.3
Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attacker
CVE-2010-3814
<= 2.4.3
Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute
CVE-2010-3054
all versions
Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service
CVE-2010-3053
<= 2.4.1
bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF f
CVE-2010-2808
< 2.4.2
Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause
CVE-2010-2807
< 2.4.2
FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of
CVE-2010-2806
< 2.4.2
Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a
CVE-2010-2805
< 2.4.2
The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values,
CVE-2010-2541
< 2.4.2
Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of ser
CVE-2010-2527
< 2.4.0
Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (applicati
CVE-2010-2520
< 2.4.0
Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support
CVE-2010-2519
< 2.4.0
Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attacker
CVE-2010-2500
< 2.4.0
Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a
CVE-2010-2499
< 2.4.0
Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause
CVE-2010-2498
< 2.4.0
The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks
CVE-2010-2497
< 2.4.0
Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application cra
CVE-2009-0946
<= 2.3.9
Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to l
CVE-2008-1808
all versions
Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted
CVE-2008-1807
all versions
FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Prin
CVE-2008-1806
all versions
Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bi
CVE-2007-3506
<= 2.3.3
The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType 2.3.3 allows context-dependent attackers to cause a denial
CVE-2007-2754
<= 2.3.4
Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary cod
CVE-2006-3467
<= 2.1
Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrar
CVE-2006-2661
< 2.2
ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers
CVE-2006-1861
all versions
Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute
CVE-2006-0747
<= 2.1
Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin