CVE-2025-15280

DOCUMENTATION: A flaw was found in FontForge. This use-after-free vulnerability in the SFD file parsing component allows remote attackers to execute arbitrary code. Exploitation requires user interaction, such as opening a specially crafted malicious SFD file or visiting a malicious web page. Successful exploitation can lead to arbitrary code execution in the context of the current user. 

            STATEMENT: This vulnerability is rated Important for Red Hat products because it allows remote code execution in FontForge due to a use-after-free flaw during SFD file parsing. Exploitation requires user interaction, specifically opening a specially crafted malicious SFD file or visiting a malicious web page. This affects FontForge in Red Hat Enterprise Linux and Red Hat In-Vehicle OS.

            MITIGATION: To mitigate this issue, users should avoid opening untrusted SFD files or visiting untrusted web pages that may attempt to exploit this vulnerability. If FontForge is not required, consider removing the fontforge package to eliminate the attack surface. Removing this package may impact functionality that relies on font editing capabilities.