Login Sign Up

CVE-2022-31782

7.8 HIGH
Denial of Service

📋 TL;DR

CVE-2022-31782 is a heap-based buffer overflow vulnerability in ftbench.c within FreeType demo programs. This vulnerability allows attackers to execute arbitrary code or cause denial of service by exploiting improper memory operations. It affects systems running FreeType demo programs up to version 2.12.1.

💻 Affected Systems

Products:
  • FreeType Demo Programs
Versions: Up to and including 2.12.1
Operating Systems: Linux, Unix-like systems, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the demo programs, not the main FreeType library itself. Systems must have the demo programs installed and executed.

📦 What is this software?

Freetype Demo Programs by Freedesktop

View all CVEs affecting Freetype Demo Programs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the FreeType demo program process, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the demo program's context.

🟢

If Mitigated

Application crash with no further impact if proper memory protections (ASLR, DEP) are enabled.

🌐 Internet-Facing: LOW - FreeType demo programs are typically not exposed to external networks.
🏢 Internal Only: MEDIUM - Could be exploited by malicious local users or through compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access or ability to trigger the vulnerable demo program. Proof of concept exists in the GitLab issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FreeType demo programs after 2.12.1

Vendor Advisory: https://gitlab.freedesktop.org/freetype/freetype-demos/-/issues/8

Restart Required: No

Instructions:

1. Update FreeType demo programs to latest version. 2. Remove demo programs if not needed. 3. Recompile any custom builds with patched source.

🔧 Temporary Workarounds

Remove demo programs

linux

Uninstall FreeType demo programs if they are not required for functionality.

sudo apt remove freetype2-demos
sudo yum remove freetype-demos
Remove via package manager appropriate to your distribution

Restrict execution permissions

linux

Remove execute permissions from ftbench and other demo binaries.

sudo chmod -x /usr/bin/ftbench
sudo chmod -x /usr/local/bin/ftbench

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from executing demo programs.
  • Deploy security controls like SELinux/AppArmor to restrict demo program capabilities.

🔍 How to Verify

Check if Vulnerable:

Check if ftbench or other FreeType demo programs are installed and their version.

Check Version:

ftbench --version 2>&1 | head -1

Verify Fix Applied:

Verify demo programs are removed or updated to version after 2.12.1.

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or abnormal termination of ftbench process
  • Memory access violation logs

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

Process execution: ftbench OR freetype-demo

📊 Metadata

CVE ID: CVE-2022-31782
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31782, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)