FontForge XBM Integer Overflow RCE Vulnerability (CVE-2025-15278)

Vulnerability Details Vulnerability Name: (0Day) FontForge GUtils XBM File Parsing Integer Overflow Remote Code Execution Vulnerability ZDI Number: - ZDI-25-1185 - ZDI-CAN-27865 CVE ID: CVE-2025-15278 CVSS Score: 7.8, AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Vendor: FontForge Affected Product: FontForge Vulnerability Description: - This vulnerability allows remote attackers to execute arbitrary code on affected FontForge installations. User interaction is required to exploit the vulnerability, such as visiting a malicious page or opening a malicious file. The flaw specifically resides in the parsing of XBM files, where improper validation of user-supplied data leads to an integer overflow. Attackers can leverage this to execute code within the context of the current process. Additional Details: - 08/21/25 - ZDI submitted the report to the vendor via a third-party platform. - 10/28/25 - ZDI requested an update. - 12/04/25 - ZDI requested an update again. - 12/13/25 - ZDI contacted the vendor's GitHub account. - 12/13/24 - Vendor rejected the vulnerability report, accepting only pull requests that include fixes. - 12/15/25 - ZDI notified the vendor that a 0-day advisory would be published on 12/29/25. Mitigation: Due to the nature of the vulnerability, effective mitigation involves limiting interaction with the product. Disclosure Timeline: - 2025-08-21 - Vulnerability reported to the vendor. - 2025-12-29 - Coordinated advisory release. - 2025-12-29 - Advisory updated. Credit: volticks (@movvx64 on Twitter)

Goal Reached Thanks to every supporter — we hit 100%!

FontForge XBM Integer Overflow RCE Vulnerability (CVE-2025-15278)