CVE-2026-34085

Medium

Published: 25 March 2026

Published

25 March 2026

Modified

27 March 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0001 2.8th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34085 is a medium-severity Off-by-one Error (CWE-193) vulnerability in Fontconfig Project Fontconfig. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires updating fontconfig to version 2.17.1, directly eliminating the off-by-one error and out-of-bounds write in FcFontCapabilities.

SI-16 Memory Protection partial match

prevent

Memory protection safeguards like DEP and ASLR prevent unauthorized code execution resulting from the one-byte out-of-bounds write.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies systems running vulnerable fontconfig versions prior to 2.17.1, enabling targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Off-by-one memory corruption in fontconfig enables arbitrary code execution via malicious font handling; directly supports local privilege escalation (T1068) when targeting higher-privileged processes and client application exploitation (T1203) when triggered by user-opened documents or rendered content.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.

Deeper analysisAI

CVE-2026-34085 is an off-by-one error in memory allocation during SFNT capability handling in the fontconfig library versions prior to 2.17.1. The issue resides in the FcFontCapabilities function within fcfreetype.c, where it triggers a one-byte out-of-bounds write. This vulnerability, classified under CWE-193 (Off-by-one Error), carries a CVSS v3.1 base score of 5.9 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and could lead to application crashes or potential remote code execution depending on exploitation context.

A local attacker can exploit this vulnerability with low complexity and no privileges or user interaction required, as it only demands local access to the system. Successful exploitation results in low-impact confidentiality, integrity, and availability effects, such as limited data exposure, minor tampering, or denial of service via crashes, with the out-of-bounds write potentially enabling more severe outcomes like code execution in vulnerable font processing scenarios.

Mitigation is addressed in fontconfig version 2.17.1, with patches detailed in the project's GitLab repository, including commit b9bec06d73340f1b5727302d13ac3df307b7febc, merge request 446, and work item 481. Security practitioners should update to the fixed version and audit systems using affected fontconfig releases for local attack surface exposure.