CVE-2025-15534
Published: 18 January 2026
Summary
CVE-2025-15534 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Raylib Raylib. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15534 is an integer overflow vulnerability (CWE-189, CWE-190) in the LoadFontData function of the src/rtext.c file in the raylib library by raysan5, affecting versions up to commit 909f040. The issue was published on 2026-01-18 and carries a CVSS v3.1 base score of 5.3.
Exploitation requires a local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U), enabling limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). A public exploit is available, which could be leveraged in a local environment.
The recommended mitigation is to apply the patch at commit 5a3391fdce046bc5473e52afbd835dd2dc127146. Additional details are documented in raylib repository issue #5436 and pull request #5450.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3184
Vulnerability details
A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. The manipulation leads to integer overflow. The attack can only be performed from a local environment. The exploit…
more
is publicly available and might be used. The identifier of the patch is 5a3391fdce046bc5473e52afbd835dd2dc127146. It is suggested to install a patch to address this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in font loading function enables local memory corruption leading to limited code execution or privilege escalation in applications using the library.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (commit 5a3391fd) that eliminates the integer overflow in LoadFontData.
Mandates validation of input data lengths and sizes before arithmetic operations, preventing the integer overflow when processing font data.
Requires memory-protection mechanisms that can limit the impact of an overflow originating from unvalidated LoadFontData input.