Cyber Resilience

CVE-2026-0943

High

Published: 19 January 2026

Published
19 January 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0018 39.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0943 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Jv Harfbuzz\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-8 (System Component Inventory).

Deeper analysis

CVE-2026-0943 is a null pointer dereference vulnerability (CWE-476) affecting HarfBuzz::Shaper, a Perl module, in versions prior to 0.032. These versions bundle HarfBuzz 8.4.0 or earlier from the hb_src.tar.gz source tarball in the distribution, which itself carries the vulnerability tracked as CVE-2026-22693. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation triggers a null pointer dereference, leading to application crashes and denial-of-service conditions without impacting confidentiality or integrity.

Mitigation involves upgrading to HarfBuzz::Shaper version 0.032 or later, which addresses the bundled HarfBuzz library issue, as detailed in the module's release changes on MetaCPAN. Red Hat's Bugzilla advisory (ID 2429296) tracks the vulnerability, and further details on the root cause are available in CVE-2026-22693.

EU & UK References

Vulnerability details

HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.  Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference enables remote application crash and DoS via direct exploitation of the vulnerable Perl module (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2025-63648Shared CWE-476
CVE-2026-25795Shared CWE-476

Affected Assets

jv
harfbuzz\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of known software flaws like the null pointer dereference in CVE-2026-0943 by upgrading vulnerable HarfBuzz::Shaper versions to prevent DoS exploitation.

detect

Requires vulnerability scanning to identify systems with vulnerable HarfBuzz::Shaper modules affected by CVE-2026-0943.

detect

Maintains an inventory of system components, including bundled libraries like vulnerable HarfBuzz in Perl modules, enabling targeted detection and patching for CVE-2026-0943.

References