{"id":"CVE-2024-56732","summary":"HarfBuzz heap-buffer-overflow on hb_cairo_glyphs_from_buffer","details":"HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hb_cairo_glyphs_from_buffer function.","aliases":["GHSA-qmp9-xqm5-jh6m"],"modified":"2026-04-12T08:40:52.555094Z","published":"2024-12-27T20:01:50.275Z","related":["USN-7214-1","openSUSE-SU-2025:14614-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56732.json","cwe_ids":["CWE-122"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56732.json"},{"type":"ADVISORY","url":"https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-qmp9-xqm5-jh6m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56732"},{"type":"FIX","url":"https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/harfbuzz/harfbuzz","events":[{"introduced":"30485ee8c3d43c553afb9d78b9924cb71c8d2f19"},{"fixed":"1767f99e2e2196c3fcae27db6d8b60098d3f6d26"}]}],"versions":["10.0.0","10.0.1","10.1.0","8.5.0","9.0.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"src/hb-cairo.cc"},"signature_version":"v1","source":"https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26","id":"CVE-2024-56732-5b914a9c","digest":{"line_hashes":["101381670642511750136096188759876543934","12328506225129801021064302089383805302","9370185567582852706827665174170357048","251530667908457065473378888393426979852","231478729928795929160394205226603092075","11244936958503034411226117464968572203","180992237101761590960485968278912641051","215467719411840351217369869385557206677"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"file":"src/hb-utf.hh"},"signature_version":"v1","source":"https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26","id":"CVE-2024-56732-801cdbe3","digest":{"line_hashes":["78390860345498499146242423266815577269","55489293826008297714441351071652784162","128479798947106510080202640804647196557","315705961088702982388812972126524331888","247383050329611822005849449548914027312","238243990752691766276855339655071917555","120577973873232494587941797694386978605","100608248734269470482305123125152261285","60099835755011667875672851846954975383","131257704116070983605743264938644546021","22711509868529753660226065113097571103","143052093558971162661773531517847057913","78245771089659683804651245657240291549","307905913117117705053509782673422238189","32230662006476164645134078702488004359"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"hb_cairo_glyphs_from_buffer","file":"src/hb-cairo.cc"},"signature_version":"v1","source":"https://github.com/harfbuzz/harfbuzz/commit/1767f99e2e2196c3fcae27db6d8b60098d3f6d26","id":"CVE-2024-56732-d1a78223","digest":{"function_hash":"145248350772007978017605191606756508181","length":2834},"signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56732.json","vanir_signatures_modified":"2026-04-12T08:40:52Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}