harfbuzz-devel-12.3.0-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10065-1 Final 1 1 2026-01-18T00:00:00Z current 2026-01-18T00:00:00Z 2026-01-18T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z harfbuzz-devel-12.3.0-2.1 on GA media These are all security issues fixed in the harfbuzz-devel-12.3.0-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10065 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2026-22693/ SUSE CVE CVE-2026-22693 page openSUSE Tumbleweed harfbuzz-devel-12.3.0-2.1 harfbuzz-tools-12.3.0-2.1 libharfbuzz-cairo0-12.3.0-2.1 libharfbuzz-cairo0-32bit-12.3.0-2.1 libharfbuzz-gobject0-12.3.0-2.1 libharfbuzz-gobject0-32bit-12.3.0-2.1 libharfbuzz-icu0-12.3.0-2.1 libharfbuzz-icu0-32bit-12.3.0-2.1 libharfbuzz-subset0-12.3.0-2.1 libharfbuzz-subset0-32bit-12.3.0-2.1 libharfbuzz0-12.3.0-2.1 libharfbuzz0-32bit-12.3.0-2.1 typelib-1_0-HarfBuzz-0_0-12.3.0-2.1 harfbuzz-devel-12.3.0-2.1 as a component of openSUSE Tumbleweed harfbuzz-tools-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-cairo0-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-cairo0-32bit-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-gobject0-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-gobject0-32bit-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-icu0-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-icu0-32bit-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-subset0-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz-subset0-32bit-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz0-12.3.0-2.1 as a component of openSUSE Tumbleweed libharfbuzz0-32bit-12.3.0-2.1 as a component of openSUSE Tumbleweed typelib-1_0-HarfBuzz-0_0-12.3.0-2.1 as a component of openSUSE Tumbleweed HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. CVE-2026-22693 openSUSE Tumbleweed:harfbuzz-devel-12.3.0-2.1 openSUSE Tumbleweed:harfbuzz-tools-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-cairo0-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-cairo0-32bit-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-gobject0-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-gobject0-32bit-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-icu0-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-icu0-32bit-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-subset0-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz-subset0-32bit-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz0-12.3.0-2.1 openSUSE Tumbleweed:libharfbuzz0-32bit-12.3.0-2.1 openSUSE Tumbleweed:typelib-1_0-HarfBuzz-0_0-12.3.0-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-22693.html CVE-2026-22693 https://bugzilla.suse.com/1256459 SUSE Bug 1256459