A critical remote code execution vulnerability has been identified in multiple FontForge products. An attacker could exploit this flaw by tricking a user into opening a specially crafted PFB font file, which could allow the attacker to take full control of the affected system, leading to data theft, malware installation, or further network intrusion.

This vulnerability is a stack-based buffer overflow that occurs within the file parsing component of FontForge when processing PFB (PostScript Font Binary) files. An attacker can create a malicious PFB file containing data that exceeds the size of the buffer allocated for it on the program's stack. When FontForge attempts to parse this file, the excess data overwrites adjacent memory on the stack, which can include the function's return address. By controlling this overwritten data, an attacker can redirect the program's execution flow to malicious code embedded within the file, resulting in remote code execution (RCE) in the context of the user running FontForge.

This vulnerability presents a significant risk to the organization, rated as High severity with a CVSS score of 8.8. Successful exploitation allows an attacker to execute arbitrary code on an employee's workstation. This could lead to the compromise of sensitive corporate data, theft of user credentials, deployment of ransomware, or the use of the compromised machine as a beachhead to launch further attacks against the internal network. The primary risk is to users who work with external or untrusted font files, such as graphic designers or marketing personnel, potentially leading to a breach of confidentiality, integrity, and availability.

Immediate Action: The primary remediation is to apply the security patches released by the vendor to all affected systems. Patching should be prioritized for internet-facing systems and workstations used by employees who are likely to handle files from external sources. Following patching, review system and application logs for any signs of crashes or anomalous behavior related to FontForge.

Proactive Monitoring: Implement enhanced monitoring on endpoints running FontForge. Look for suspicious child processes being spawned by the FontForge application (e.g., cmd.exe, powershell.exe, /bin/sh). Monitor for unusual network connections originating from the FontForge process to external IP addresses. Security teams should create detection rules in SIEM or EDR solutions to alert on FontForge application crashes followed by suspicious system activity.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:

• User Awareness: Instruct users, especially those in design-related roles, not to open or install PFB font files from untrusted sources, such as suspicious websites or unsolicited emails.
• Application Sandboxing: Run FontForge within a sandboxed or virtualized environment to contain any potential exploit and prevent it from affecting the host operating system.
• Endpoint Security: Ensure Endpoint Detection and Response (EDR) and antivirus solutions are up-to-date and configured to monitor for memory corruption exploitation techniques and anomalous process behavior.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for complete system compromise, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches across all affected assets without delay. Although this vulnerability is not currently listed on the CISA KEV catalog, its high severity and the straightforward nature of the attack vector warrant urgent remediation. If patching is delayed, the compensating controls listed above should be implemented as an interim measure to mitigate risk.