SUSE-SU-2026:20762-1: moderate: Security update for harfbuzz

SLE-SECURITY-UPDATES null at suse.de
Tue Mar 24 12:30:24 UTC 2026 


# Security update for harfbuzz

Announcement ID: SUSE-SU-2026:20762-1  
Release Date: 2026-03-20T15:28:08Z  
Rating: moderate  
References:

  * bsc#1256459

  
Cross-References:

  * CVE-2026-22693

  
CVSS scores:

  * CVE-2026-22693 ( SUSE ):  6.9
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2026-22693 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2026-22693 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  
Affected Products:

  * SUSE Linux Micro 6.2

  
  
An update that solves one vulnerability can now be installed.

## Description:

This update for harfbuzz fixes the following issues:

Update to version 11.4.5:

Security fixes:

  * CVE-2026-22693: Fixed a NULL pointer dereference in
    SubtableUnicodesCache::create (bsc#1256459).

Other fixes:

  * Bug fixes for “AAT” shaping, and other shaping micro optimizations.
  * Fix a shaping regression affecting mark glyphs in certain fonts.
  * Fix pruning of mark filtering sets when subsetting fonts, which caused
    changes in shaping behaviour.
  * Make shaping fail much faster for certain malformed fonts (e.g., those that
    trigger infinite recursion).
  * Fix undefined behaviour introduced in 11.4.2.
  * Fix detection of the “Cambria Math” font when fonts are scaled, so the
    workaround for the bad MATH table constant is applied.
  * Various performance and memory usage improvements.
  * The hb-shape command line tool can now be built with the amalgamated
    harfbuzz.cc source.
  * Fix regression in handling version 2 of avar table.
  * Increase various buffer length limits for better handling of fonts that
    generate huge number of glyphs per codepoint (e.g. Noto Sans Duployan).
  * Improvements to the harfrust shaper for more accurate testing.
  * Fix clang compiler warnings.
  * General shaping and subsetting speedups.
  * Fix in Graphite shaping backend when glyph advances became negative.
  * Subsetting improvements, pruning empty mark-attachment lookups.
  * Don't use the macro name _S, which is reserved by system liberaries.
  * Build fixes and speedup.
  * Add a kbts shaping backend that calls into the kb_text_shape single-header
    shaping library. This is purely for testing and performance evaluation and
    we do NOT recommend using it for any other purposes.
  * Fix bug in vertical shaping of fonts without the vmtx table.
  * Fix build with non-compliant C++11 compilers that don't recognize the "and"
    keyword.
  * Fix crasher in the glyph_v_origin function introduced in 11.3.0.
  * Speed up handling fonts with very large number of variations.
  * Speed up getting horizontal and vertical glyph advances by up to 24%.
  * Significantly speed up vertical text shaping.
  * Various documentation improvements.
  * Various build improvements.
  * Various subsetting improvements.
  * Various improvements to Rust font functions (fontations integration) and
    shaper (HarfRust integration).
  * Rename harfruzz option and shaper to harfrust following upstream rename.
  * Implement hb_face_reference_blob() for DirectWrite font functions.
  * Various build improvements.
  * Fix build with HB_NO_DRAW and HB_NO_PAINT.
  * Add an optional harfruzz shaper that uses HarfRuzz; an ongoing Rust port of
    HarfBuzz shaping. This shaper is mainly used for testing the output of the
    Rust implementation.
  * Fix regression that caused applying unsafe_to_break() to the whole buffer to
    be ignored.
  * Update USE data files.
  * Fix getting advances of out-of-rage glyph indices in DirectWrite font
    functions.
  * Painting of COLRv1 fonts without clip boxes is now about 10 times faster.
  * Synthetic bold/slant of a sub font is now respected, instead of using the
    parent’s.
  * Glyph extents for fonts synthetic bold/slant are now accurately calculated.
  * Various build fixes.
  * Include bidi mirroring variants of the requested codepoints when subsetting.
    The new HB_SUBSET_FLAGS_NO_BIDI_CLOSURE can be used to disable this
    behaviour.
  * Various bug fixes.
  * Various build fixes and improvements.
  * Various test suite improvements.
  * The change in version 10.3.0 to apply “trak” table tracking values to glyph
    advances directly has been reverted as it required every font functions
    implementation to handle it, which breaks existing custom font functions.
    Tracking is instead back to being applied during shaping.
  * When directwrite integration is enabled, we now link to dwrite.dll instead
    of dynamically loading it.
  * A new experimental APIs for getting raw “CFF” and “CFF2” CharStrings.
  * We now provide manpages for the various command line utilities. Building
    manpages requires “help2man” and will be skipped if it is not present.
  * The command line utilities now set different return value for different
    kinds of failures. Details are provided in the manpages.
  * Various fixes and improvements to fontations font functions.
  * All shaping operations using the ot shaper have become memory allocation-
    free.
  * Glyph extents returned by hb-ot and hb-ft font functions are now rounded in
    stead of flooring/ceiling them, which also matches what other font libraries
    do.
  * Fix “AAT” deleted glyph marks interfering with fallback mark positioning.
  * Glyph outlines emboldening have been moved out of hb-ot and hb-ft font
    functions to the HarfBuzz font layer, so that it works with any font
    functions implementation.
  * Fix our fallback C++11 atomics integration, which seems to not be widely
    used.
  * Various testing fixes and improvements.
  * Various subsetting fixes and improvements.
  * Various other fixes and improvements.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.2  
    zypper in -t patch SUSE-SL-Micro-6.2-423=1

## Package List:

  * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    * libharfbuzz0-11.4.5-160000.1.1
    * libharfbuzz-gobject0-debuginfo-11.4.5-160000.1.1
    * typelib-1_0-HarfBuzz-0_0-11.4.5-160000.1.1
    * libharfbuzz-gobject0-11.4.5-160000.1.1
    * libharfbuzz0-debuginfo-11.4.5-160000.1.1
    * harfbuzz-debugsource-11.4.5-160000.1.1

## References:

  * https://www.suse.com/security/cve/CVE-2026-22693.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1256459

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260324/4b9f3131/attachment.htm>

More information about the sle-security-updates mailing list