{"id":"CVE-2016-2052","details":"Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.","modified":"2026-04-16T06:22:11.844986590Z","published":"2016-01-25T11:59:10.627Z","related":["SUSE-SU-2017:1821-1","SUSE-SU-2017:2315-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2016-08/msg00070.html"},{"type":"WEB","url":"http://www.securitytracker.com/id/1034801"},{"type":"WEB","url":"http://www.securityfocus.com/bid/81812"},{"type":"WEB","url":"https://code.google.com/p/chromium/issues/detail?id=544270"},{"type":"WEB","url":"https://code.google.com/p/chromium/issues/detail?id=579625"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-0072.html"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-2877-1"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3067-1"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-76"},{"type":"REPORT","url":"https://github.com/behdad/harfbuzz/issues/139#issuecomment-148289957"},{"type":"FIX","url":"https://github.com/behdad/harfbuzz/commit/63ef0b41dc48d6112d1918c1b1de9de8ea90adb5"},{"type":"ARTICLE","url":"http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/behdad/harfbuzz","events":[{"introduced":"0"},{"last_affected":"ab170529246ad80830bef2b3c8b48e9a8d2b7483"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.5"}]}},{"type":"GIT","repo":"https://github.com/harfbuzz/harfbuzz","events":[{"introduced":"0"},{"fixed":"63ef0b41dc48d6112d1918c1b1de9de8ea90adb5"}]}],"versions":["0.6.0","0.9.1","0.9.10","0.9.11","0.9.12","0.9.13","0.9.14","0.9.15","0.9.16","0.9.17","0.9.18","0.9.19","0.9.2","0.9.20","0.9.21","0.9.22","0.9.23","0.9.24","0.9.25","0.9.26","0.9.27","0.9.28","0.9.29","0.9.3","0.9.30","0.9.31","0.9.32","0.9.33","0.9.34","0.9.35","0.9.36","0.9.37","0.9.38","0.9.39","0.9.4","0.9.40","0.9.41","0.9.42","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","hb-rename","ng-mergepoint","pango-extractpoint","pango-start"],"database_specific":{"vanir_signatures":[{"target":{"file":"src/hb-ot-font.cc"},"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["234991419372377911147011784491808647681","321153444090282685365951815766124566312","86305156222949548068857325375416648651","187202475723259998296423389636645701174"]},"id":"CVE-2016-2052-43be66a2","source":"https://github.com/harfbuzz/harfbuzz/commit/63ef0b41dc48d6112d1918c1b1de9de8ea90adb5","deprecated":false}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"47.0.2526.106"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2052.json","vanir_signatures_modified":"2026-04-11T03:43:40Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}]}