Login Sign Up

CVE-2022-27404

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2022-27404 is a critical heap buffer overflow vulnerability in FreeType's sfnt_init_face function that allows attackers to execute arbitrary code or cause denial of service. This affects any application that uses FreeType for font rendering, including web browsers, document viewers, and operating systems. Attackers can exploit this by tricking users into opening malicious font files.

💻 Affected Systems

Products:
  • FreeType
  • Applications using FreeType library (web browsers, document viewers, image processors, operating systems)
Versions: FreeType versions before 2.12.1
Operating Systems: Linux, Windows, macOS, BSD variants, Android
Default Config Vulnerable: ⚠️ Yes
Notes: Any system or application that uses FreeType for font rendering is vulnerable when processing malicious font files.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Freetype by Freetype

View all CVEs affecting Freetype →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with system-level privileges, potentially leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the application context, potentially leading to privilege escalation.

🟢

If Mitigated

Application crash with minimal impact if sandboxed or running with limited privileges.

🌐 Internet-Facing: HIGH - Web applications and services that process user-uploaded fonts or render web content with custom fonts are directly exposed.
🏢 Internal Only: MEDIUM - Internal applications that process font files could be exploited via phishing or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction to open malicious font files, but the vulnerability itself is straightforward to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FreeType 2.12.1 and later

Vendor Advisory: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138

Restart Required: Yes

Instructions:

1. Update FreeType library to version 2.12.1 or later. 2. Update all applications that bundle FreeType. 3. Restart affected applications and services.

🔧 Temporary Workarounds

Disable font processing

all

Temporarily disable font rendering in vulnerable applications if possible

Application sandboxing

all

Run vulnerable applications in sandboxed environments with limited privileges

🧯 If You Can't Patch

  • Implement strict input validation for font files and block suspicious font formats
  • Deploy application control solutions to prevent execution of untrusted font processing applications

🔍 How to Verify

Check if Vulnerable:

Check FreeType version: freetype-config --version or check application documentation for bundled FreeType version

Check Version:

freetype-config --version

Verify Fix Applied:

Verify FreeType version is 2.12.1 or higher: freetype-config --version | grep -q '^2\.1[2-9]\|^[3-9]'

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults in font processing functions
  • Unexpected font file processing from untrusted sources

Network Indicators:

  • Downloads of suspicious font files from untrusted sources
  • Font file transfers to vulnerable systems

SIEM Query:

source="application_logs" AND (message="segmentation fault" OR message="heap overflow") AND process="*font*"

📊 Metadata

CVE ID: CVE-2022-27404
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27404, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)