{"api_version":"1","generated_at":"2026-04-23T02:36:44+00:00","cve":"CVE-2023-25193","urls":{"html":"https://cve.report/CVE-2023-25193","api":"https://cve.report/api/cve/CVE-2023-25193.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-25193","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-25193"},"summary":{"title":"CVE-2023-25193","description":"hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-02-04 20:15:00","updated_at":"2023-11-07 04:08:00"},"problem_types":["CWE-770"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWCHWSICWVZSAXP2YAXM65JC2GR53547/","name":"FEDORA-2023-4e6353c6f7","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: chromium-110.0.5481.77-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZ5M2GSAIHFPLHYJXUPQ2QDJCLWXUGO3/","name":"FEDORA-2023-a48406ecd2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 38 Update: harfbuzz-7.0.1-2.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230725-0006/","name":"https://security.netapp.com/advisory/ntap-20230725-0006/","refsource":"CONFIRM","tags":[],"title":"July 2023 Java Platform Standard Edition Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZ5M2GSAIHFPLHYJXUPQ2QDJCLWXUGO3/","name":"FEDORA-2023-a48406ecd2","refsource":"","tags":[],"title":"[SECURITY] Fedora 38 Update: harfbuzz-7.0.1-2.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/harfbuzz/harfbuzz/blob/2822b589bc837fae6f66233e2cf2eef0f6ce8470/src/hb-ot-layout-gsubgpos.hh","name":"https://github.com/harfbuzz/harfbuzz/blob/2822b589bc837fae6f66233e2cf2eef0f6ce8470/src/hb-ot-layout-gsubgpos.hh","refsource":"MISC","tags":[],"title":"harfbuzz/hb-ot-layout-gsubgpos.hh at 2822b589bc837fae6f66233e2cf2eef0f6ce8470 · harfbuzz/harfbuzz · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://chromium.googlesource.com/chromium/src/+/e1f324aa681af54101c1f2d173d92adb80e37088/DEPS#361","name":"https://chromium.googlesource.com/chromium/src/+/e1f324aa681af54101c1f2d173d92adb80e37088/DEPS#361","refsource":"MISC","tags":[],"title":"DEPS - chromium/src - Git at Google","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc","name":"https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc","refsource":"MISC","tags":[],"title":"[layout] Limit how far we skip when looking back · harfbuzz/harfbuzz@85be877 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWCHWSICWVZSAXP2YAXM65JC2GR53547/","name":"FEDORA-2023-4e6353c6f7","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: chromium-110.0.5481.77-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25193","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25193","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"25193","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25193","vulnerable":"1","versionEndIncluding":"6.0.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"harfbuzz_project","cpe5":"harfbuzz","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-25193","qid":"160804","title":"Oracle Enterprise Linux Security Update for java-11-openjdk (ELSA-2023-4233)"},{"cve":"CVE-2023-25193","qid":"160809","title":"Oracle Enterprise Linux Security Update for java-17-openjdk (ELSA-2023-4159)"},{"cve":"CVE-2023-25193","qid":"160812","title":"Oracle Enterprise Linux Security Update for java-11-openjdk (ELSA-2023-4158)"},{"cve":"CVE-2023-25193","qid":"160815","title":"Oracle Enterprise Linux Security Update for java-11-openjdk (ELSA-2023-4175)"},{"cve":"CVE-2023-25193","qid":"160816","title":"Oracle Enterprise Linux Security Update for java-17-openjdk (ELSA-2023-4177)"},{"cve":"CVE-2023-25193","qid":"199629","title":"Ubuntu Security Notification for Open Java Development Toolkit (OpenJDK) Vulnerabilities (USN-6263-1)"},{"cve":"CVE-2023-25193","qid":"199638","title":"Ubuntu Security Notification for Open Java Development Toolkit (OpenJDK) 20 Vulnerabilities (USN-6272-1)"},{"cve":"CVE-2023-25193","qid":"241837","title":"Red Hat Update for java-17-openjdk (RHSA-2023:4170)"},{"cve":"CVE-2023-25193","qid":"241838","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4162)"},{"cve":"CVE-2023-25193","qid":"241840","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4165)"},{"cve":"CVE-2023-25193","qid":"241841","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4163)"},{"cve":"CVE-2023-25193","qid":"241842","title":"Red Hat Update for java-17-openjdk (RHSA-2023:4169)"},{"cve":"CVE-2023-25193","qid":"241846","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4164)"},{"cve":"CVE-2023-25193","qid":"241847","title":"Red Hat Update for java-17-openjdk (RHSA-2023:4171)"},{"cve":"CVE-2023-25193","qid":"241849","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4157)"},{"cve":"CVE-2023-25193","qid":"241851","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4175)"},{"cve":"CVE-2023-25193","qid":"241854","title":"Red Hat Update for java-17-openjdk (RHSA-2023:4177)"},{"cve":"CVE-2023-25193","qid":"241855","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4158)"},{"cve":"CVE-2023-25193","qid":"241859","title":"Red Hat Update for java-11-openjdk (RHSA-2023:4233)"},{"cve":"CVE-2023-25193","qid":"241860","title":"Red Hat Update for java-17-openjdk (RHSA-2023:4159)"},{"cve":"CVE-2023-25193","qid":"257249","title":"CentOS Security Update for java-11-openjdk"},{"cve":"CVE-2023-25193","qid":"283700","title":"Fedora Security Update for chromium (FEDORA-2023-4e6353c6f7)"},{"cve":"CVE-2023-25193","qid":"284267","title":"Fedora Security Update for cairo (FEDORA-2023-a48406ecd2)"},{"cve":"CVE-2023-25193","qid":"354801","title":"Amazon Linux Security Advisory for thunderbird : ALAS2-2023-1983"},{"cve":"CVE-2023-25193","qid":"355220","title":"Amazon Linux Security Advisory for harfbuzz : ALAS2023-2023-111"},{"cve":"CVE-2023-25193","qid":"355631","title":"Amazon Linux Security Advisory for java-17-amazon-corretto : ALAS2023-2023-258"},{"cve":"CVE-2023-25193","qid":"355636","title":"Amazon Linux Security Advisory for java-11-amazon-corretto : ALAS2023-2023-257"},{"cve":"CVE-2023-25193","qid":"355651","title":"Amazon Linux Security Advisory for java-11-amazon-corretto : ALAS2-2023-2137"},{"cve":"CVE-2023-25193","qid":"355652","title":"Amazon Linux Security Advisory for java-17-amazon-corretto : ALAS2-2023-2138"},{"cve":"CVE-2023-25193","qid":"378673","title":"Oracle Java Standard Edition (SE) Critical Patch Update - July 2023 (CPUJUL2023)"},{"cve":"CVE-2023-25193","qid":"378691","title":"Amazon Corretto Critical Patch Update (JUL2023)"},{"cve":"CVE-2023-25193","qid":"378692","title":"Azul Java Multiple Vulnerabilities Security Update July 2023"},{"cve":"CVE-2023-25193","qid":"378761","title":"Alibaba Cloud Linux Security Update for java-11-openjdk (ALINUX2-SA-2023:0035)"},{"cve":"CVE-2023-25193","qid":"378792","title":"Red Hat OpenJDK 11.0.20 Security Update for Windows Builds (RHSA-2023:4161)"},{"cve":"CVE-2023-25193","qid":"378793","title":"Red Hat OpenJDK 17.0.8 Security Update for Windows Builds (RHSA-2023:4211)"},{"cve":"CVE-2023-25193","qid":"378921","title":"Alibaba Cloud Linux Security Update for java-17-openjdk (ALINUX3-SA-2023:0119)"},{"cve":"CVE-2023-25193","qid":"378923","title":"Alibaba Cloud Linux Security Update for java-11-openjdk (ALINUX3-SA-2023:0118)"},{"cve":"CVE-2023-25193","qid":"503425","title":"Alpine Linux Security Update for openjdk11"},{"cve":"CVE-2023-25193","qid":"503427","title":"Alpine Linux Security Update for openjdk17"},{"cve":"CVE-2023-25193","qid":"506135","title":"Alpine Linux Security Update for openjdk11"},{"cve":"CVE-2023-25193","qid":"506137","title":"Alpine Linux Security Update for openjdk17"},{"cve":"CVE-2023-25193","qid":"672975","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2023-1871)"},{"cve":"CVE-2023-25193","qid":"672976","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2023-1846)"},{"cve":"CVE-2023-25193","qid":"673028","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2023-1977)"},{"cve":"CVE-2023-25193","qid":"673049","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2023-1955)"},{"cve":"CVE-2023-25193","qid":"673124","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2023-2270)"},{"cve":"CVE-2023-25193","qid":"673166","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2023-2294)"},{"cve":"CVE-2023-25193","qid":"673350","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2024-1142)"},{"cve":"CVE-2023-25193","qid":"674098","title":"EulerOS Security Update for harfbuzz (EulerOS-SA-2023-3129)"},{"cve":"CVE-2023-25193","qid":"754001","title":"SUSE Enterprise Linux Security Update for harfbuzz (SUSE-SU-2023:1822-1)"},{"cve":"CVE-2023-25193","qid":"754002","title":"SUSE Enterprise Linux Security Update for harfbuzz (SUSE-SU-2023:1821-1)"},{"cve":"CVE-2023-25193","qid":"754003","title":"SUSE Enterprise Linux Security Update for harfbuzz (SUSE-SU-2023:1820-1)"},{"cve":"CVE-2023-25193","qid":"754217","title":"SUSE Enterprise Linux Security Update for java-11-openjdk (SUSE-SU-2023:2990-1)"},{"cve":"CVE-2023-25193","qid":"754271","title":"SUSE Enterprise Linux Security Update for java-11-openjdk (SUSE-SU-2023:3287-1)"},{"cve":"CVE-2023-25193","qid":"905389","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for qt5-qtbase (13224)"},{"cve":"CVE-2023-25193","qid":"905398","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for qt5-qtbase (13231)"},{"cve":"CVE-2023-25193","qid":"905443","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13303)"},{"cve":"CVE-2023-25193","qid":"905449","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mozjs60 (13322)"},{"cve":"CVE-2023-25193","qid":"905453","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13321)"},{"cve":"CVE-2023-25193","qid":"906534","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13303-1)"},{"cve":"CVE-2023-25193","qid":"906552","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13321-1)"},{"cve":"CVE-2023-25193","qid":"906606","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13321-3)"},{"cve":"CVE-2023-25193","qid":"906657","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13303-3)"},{"cve":"CVE-2023-25193","qid":"906783","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13321-5)"},{"cve":"CVE-2023-25193","qid":"941188","title":"AlmaLinux Security Update for java-11-openjdk (ALSA-2023:4175)"},{"cve":"CVE-2023-25193","qid":"941189","title":"AlmaLinux Security Update for java-17-openjdk (ALSA-2023:4159)"},{"cve":"CVE-2023-25193","qid":"941191","title":"AlmaLinux Security Update for java-17-openjdk (ALSA-2023:4177)"},{"cve":"CVE-2023-25193","qid":"941192","title":"AlmaLinux Security Update for java-11-openjdk (ALSA-2023:4158)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2023-25193","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc","refsource":"MISC","name":"https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc"},{"url":"https://chromium.googlesource.com/chromium/src/+/e1f324aa681af54101c1f2d173d92adb80e37088/DEPS#361","refsource":"MISC","name":"https://chromium.googlesource.com/chromium/src/+/e1f324aa681af54101c1f2d173d92adb80e37088/DEPS#361"},{"url":"https://github.com/harfbuzz/harfbuzz/blob/2822b589bc837fae6f66233e2cf2eef0f6ce8470/src/hb-ot-layout-gsubgpos.hh","refsource":"MISC","name":"https://github.com/harfbuzz/harfbuzz/blob/2822b589bc837fae6f66233e2cf2eef0f6ce8470/src/hb-ot-layout-gsubgpos.hh"},{"refsource":"FEDORA","name":"FEDORA-2023-4e6353c6f7","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWCHWSICWVZSAXP2YAXM65JC2GR53547/"},{"refsource":"FEDORA","name":"FEDORA-2023-a48406ecd2","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZ5M2GSAIHFPLHYJXUPQ2QDJCLWXUGO3/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230725-0006/","url":"https://security.netapp.com/advisory/ntap-20230725-0006/"}]}},"nvd":{"publishedDate":"2023-02-04 20:15:00","lastModifiedDate":"2023-11-07 04:08:00","problem_types":["CWE-770"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:harfbuzz_project:harfbuzz:*:*:*:*:*:*:*:*","versionEndIncluding":"6.0.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}