根据网页截图,以下是关于漏洞的关键信息: 漏洞标题 - (0Day) FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability 漏洞标识 - ZDI-25-1190 - ZDI-CAN-28544 - CVE ID: CVE-2025-15274 CVSS 评分 - 8.8, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 受影响的供应商和产品 - Affected Vendors: FontForge - Affected Products: FontForge 漏洞详情 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. - The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. 缓解措施 - Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. 披露时间线 - 2025-12-12 - Vulnerability reported to vendor - 2025-12-29 - Coordinated public release of advisory - 2025-12-29 - Advisory Updated 漏洞报告者 - Anonymous