SUSE-SU-2026:20730-1: moderate: Security update for freetype2

SLE-SECURITY-UPDATES null at suse.de
Mon Mar 23 16:30:51 UTC 2026 


# Security update for freetype2

Announcement ID: SUSE-SU-2026:20730-1  
Release Date: 2026-03-16T13:24:14Z  
Rating: moderate  
References:

  * bsc#1252148
  * bsc#1259118

  
Cross-References:

  * CVE-2026-23865

  
CVSS scores:

  * CVE-2026-23865 ( SUSE ):  4.6
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
  * CVE-2026-23865 ( SUSE ):  5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-23865 ( NVD ):  5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that solves one vulnerability and has one fix can now be installed.

## Description:

This update for freetype2 fixes the following issue:

Update to freetype2 2.14.2:

  * CVE-2026-23865: Integer overflow in the tt_var_load_item_variation_store
    function (bsc#1259118).

Changelog:

  * Several changes related to LCD filtering are implemented to achieve better
    performance and encourage sound practices.
  * Instead of blanket LCD filtering over the entire bitmap, it is now applied
    only to non-zero spans using direct rendering. This speeds up the ClearType-
    like rendering by more than 40% at sizes above 32 ppem.
  * Setting the filter weights with FT_Face_Properties is no longer supported.
    The default and light filters are optimized to work with any face.
  * The legacy libXft LCD filter algorithm is no longer provided.
  * The italic angle in `PS_FontInfo` is now stored as a fixed-point value in
    degrees for all Type 1 fonts and their derivatives, consistent with CFF
    fonts and common practices. The broken underline position and thickness
    values are fixed for CFF fonts.
  * The `x` field in the `FT_Span` structure is now unsigned.
  * Demo program `ftgrid` got an option `-m` to select a start character to
    display.
  * Similarly, demo program `ftmulti` got an option `-m` to select a text string
    for rendering.
  * Option `-d` in the demo program `ttdebug` is now called `-a`, expecting a
    comma-separated list of axis values. The user interface is also slightly
    improved.
  * The `ftinspect` demo program can now be compiled with Qt6, too.
  * The auto-hinter got new abilities. It can now better separate diacritic
    glyphs from base glyphs at small sizes by artificially moving diacritics up
    (or down) if necessary
  * Tilde accent glyphs get vertically stretched at small sizes so that they
    don't degenerate to horizontal lines.
  * Diacritics directly attached to a base glyph (like the ogonek in character
    'ę') no longer distort the shape of the base glyph
  * The TrueType instruction interpreter was optimized to produce a 15% gain in
    the glyph loading speed.
  * Handling of Variation Fonts is now considerably faster
  * TrueType and CFF glyph loading speed has been improved by 5-10% on modern
    64-bit platforms as a result of better handling of fixed-point
    multiplication.
  * The BDF driver now loads fonts 75% faster.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-623=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    * freetype2-debugsource-2.14.2-1.1
    * libfreetype6-2.14.2-1.1
    * libfreetype6-debuginfo-2.14.2-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2026-23865.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1252148
  * https://bugzilla.suse.com/show_bug.cgi?id=1259118

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260323/f8aab0d2/attachment.htm>

More information about the sle-security-updates mailing list