Cyber Posture

CVE-2026-0943

High

Published: 19 January 2026

Published
19 January 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 33.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0943 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Jv Harfbuzz\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Null pointer dereference enables remote application crash and DoS via direct exploitation of the vulnerable Perl module (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.  Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693.

Deeper analysisAI

CVE-2026-0943 is a null pointer dereference vulnerability (CWE-476) affecting HarfBuzz::Shaper, a Perl module, in versions prior to 0.032. These versions bundle HarfBuzz 8.4.0 or earlier from the hb_src.tar.gz source tarball in the distribution, which itself carries the vulnerability tracked as CVE-2026-22693. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation triggers a null pointer dereference, leading to application crashes and denial-of-service conditions without impacting confidentiality or integrity.

Mitigation involves upgrading to HarfBuzz::Shaper version 0.032 or later, which addresses the bundled HarfBuzz library issue, as detailed in the module's release changes on MetaCPAN. Red Hat's Bugzilla advisory (ID 2429296) tracks the vulnerability, and further details on the root cause are available in CVE-2026-22693.

Details

CWE(s)
CWE-476

Affected Products

jv
harfbuzz\
\

CVEs Like This One

CVE-2026-4652Shared CWE-476
CVE-2026-33282Shared CWE-476
CVE-2025-0430Shared CWE-476
CVE-2026-31256Shared CWE-476
CVE-2025-69649Shared CWE-476
CVE-2026-27141Shared CWE-476
CVE-2026-25795Shared CWE-476
CVE-2026-22998Shared CWE-476
CVE-2025-63648Shared CWE-476
CVE-2026-34874Shared CWE-476

References