An integer overflow in the ttvarloaditemvariation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.
{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2.13.2"
},
{
"last_affected": "2.13.3"
},
{
"introduced": "2.14.0"
},
{
"last_affected": "2.14.1"
}
]
}"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23865.json"
"2026-07-08T00:03:14Z"
[
{
"signature_version": "v1",
"source": "https://gitlab.com/freetype/freetype@fc85a255849229c024c8e65f536fe1875d84841c",
"signature_type": "Function",
"id": "CVE-2026-23865-2ac371c1",
"digest": {
"length": 4105.0,
"function_hash": "371595557651698550721007698133082557"
},
"deprecated": false,
"target": {
"function": "tt_var_load_item_variation_store",
"file": "src/truetype/ttgxvar.c"
}
},
{
"signature_version": "v1",
"source": "https://gitlab.com/freetype/freetype@fc85a255849229c024c8e65f536fe1875d84841c",
"signature_type": "Line",
"id": "CVE-2026-23865-91cf58e3",
"digest": {
"line_hashes": [
"173775725118845386785921971932501480943",
"217990528756814337641523475873168464252",
"256299278966677633404315659859596614456",
"131613146236841817417653859910863912020",
"64709015543735491674836162189416750751",
"31847057092482650765499423577043743340",
"77677376389532582855417806035044380397",
"251390016063463307935723584293454852956"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "src/truetype/ttgxvar.c"
}
}
]
{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2.13.2"
},
{
"last_affected": "2.13.3"
},
{
"introduced": "2.14.0"
},
{
"last_affected": "2.14.1"
}
]
}