CVE-2025-15274

DOCUMENTATION: A flaw was found in FontForge. This heap-based buffer overflow vulnerability allows a remote attacker to execute arbitrary code on an affected system. This occurs when a user is tricked into opening a specially crafted SFD file, due to improper validation of user-supplied data length during file parsing. Successful exploitation can lead to complete control over the affected system. 

            STATEMENT: This vulnerability is rated Important for Red Hat products as it allows for remote code execution. Exploitation requires user interaction, where a target must open a specially crafted SFD file. This affects installations of FontForge on Red Hat Enterprise Linux and Fedora.

            MITIGATION: To mitigate this issue, users should avoid opening untrusted SFD (Spline Font Database) files with FontForge. If FontForge is not required, consider removing the package to eliminate the attack surface.

To remove FontForge on Red Hat Enterprise Linux or Fedora:

sudo dnf remove fontforge

Note that removing FontForge may impact other applications that depend on it for font manipulation.