CVE-2025-15270

DOCUMENTATION: A flaw was found in FontForge. This vulnerability allows a remote attacker to execute arbitrary code by tricking a user into opening a specially crafted SFD (Spline Font Database) file. The issue stems from improper validation of array indexes during SFD file parsing, which can lead to writing data beyond the allocated memory boundary. Successful exploitation results in arbitrary code execution in the context of the current user. 

            STATEMENT: This vulnerability is rated Important for Red Hat products as it allows remote code execution in FontForge. Exploitation requires user interaction, where a target must open a specially crafted SFD file. This affects systems where FontForge is installed and used to process untrusted font files.

            MITIGATION: To mitigate this issue, users should avoid opening untrusted SFD (Spline Font Database) files with FontForge. If FontForge is not required, consider removing the fontforge package to eliminate the attack surface.

To remove the package on Red Hat Enterprise Linux:

sudo yum remove fontforge (for RHEL 6/7)

sudo dnf remove fontforge (for RHEL 8/9/10 and Fedora)

Removing this package may impact functionality that relies on FontForge.