CVE-2025-15273 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-15273 Interim 1 1 2026-03-05T01:24:18Z current 2026-03-05T01:24:18Z 2026-03-05T01:24:18Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-15273 FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PFB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28546. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Desktop Applications 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Module for Desktop Applications 15 SP7 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Server 15 SP6-LTSS SUSE Linux Enterprise Module for Desktop Applications 15 SP7 SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server Teradata 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Module for Desktop Applications 15 SP7 SUSE Linux Enterprise Server for SAP applications 16.0 openSUSE Leap 15.6 fontforge fontforge-devel fontforge-doc fontforge as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS fontforge as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS fontforge as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP7 fontforge as a component of SUSE Linux Enterprise Server 15 SP2-LTSS fontforge as a component of SUSE Linux Enterprise Server 15 SP3-LTSS fontforge as a component of SUSE Linux Enterprise Server 15 SP4-LTSS fontforge as a component of SUSE Linux Enterprise Server 15 SP5-LTSS fontforge as a component of SUSE Linux Enterprise Server 15 SP6-LTSS fontforge as a component of SUSE Linux Enterprise Server 16.0 fontforge-devel as a component of SUSE Linux Enterprise Server 16.0 fontforge-doc as a component of SUSE Linux Enterprise Server 16.0 fontforge as a component of SUSE Linux Enterprise Server Teradata 15 SP4 fontforge as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 fontforge as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 fontforge as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 fontforge as a component of SUSE Linux Enterprise Server for SAP applications 16.0 fontforge-devel as a component of SUSE Linux Enterprise Server for SAP applications 16.0 fontforge-doc as a component of SUSE Linux Enterprise Server for SAP applications 16.0 fontforge as a component of openSUSE Leap 15.6 fontforge-devel as a component of openSUSE Leap 15.6 fontforge-doc as a component of openSUSE Leap 15.6 FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PFB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28546. CVE-2025-15273 important 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H