Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2023-25193

CVE-2023-25193: Harfbuzz DoS Vulnerability

CVE-2023-25193 is a denial of service vulnerability in Harfbuzz that allows attackers to trigger O(n^2) growth through consecutive marks. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2023-25193 Overview

CVE-2023-25193 is an algorithmic complexity vulnerability in HarfBuzz, a widely-used text shaping library. The vulnerability exists in hb-ot-layout-gsubgpos.hh through version 6.0.0, where attackers can trigger O(n²) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. This quadratic complexity can lead to significant performance degradation and denial of service conditions when processing specially crafted font data.

Critical Impact

This vulnerability allows remote attackers to cause denial of service through resource exhaustion by exploiting the quadratic algorithmic complexity in mark attachment processing, potentially affecting applications that render untrusted fonts including web browsers and document processors.

Affected Products

  • HarfBuzz Project HarfBuzz through version 6.0.0
  • Fedora Project Fedora 36
  • Applications embedding HarfBuzz for text shaping (including Chromium-based browsers)

Discovery Timeline

  • 2023-02-04 - CVE-2023-25193 published to NVD
  • 2025-03-25 - Last updated in NVD database

Technical Details for CVE-2023-25193

Vulnerability Analysis

The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw exists in the OpenType layout processing code within HarfBuzz, specifically in the glyph substitution and positioning (GSUB/GPOS) handling routines. When the text shaping engine processes fonts with consecutive mark characters, the algorithm performs a backward search for base glyphs without adequate bounds checking.

The unbounded lookback operation means that for each mark glyph, the algorithm may traverse an increasingly large number of preceding glyphs. With n consecutive marks, this results in approximately n² total operations, creating an algorithmic complexity attack vector. An attacker can craft malicious font files or text input that exploits this behavior to consume excessive CPU resources.

Root Cause

The root cause lies in the hb-ot-layout-gsubgpos.hh header file, where the backward search algorithm for base glyph attachment lacked a proper limit on how far back the search could traverse. When processing mark glyphs (such as combining diacritics), the code would search backwards through all preceding glyphs without restriction, leading to quadratic time complexity when many consecutive marks are present.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Crafting a malicious font file containing sequences that trigger excessive mark lookback operations
  2. Delivering the malicious content through web pages, documents, or other media that trigger font rendering
  3. Causing the target application to enter a resource-exhausted state, resulting in denial of service

The attack can be delivered remotely through any application that uses HarfBuzz for text rendering, including web browsers, PDF viewers, and document editors.

text
       unsigned stop = num_items - 1;
       if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)
         stop = 1 - 1;
+
+      /* When looking back, limit how far we search; this function is mostly
+       * used for looking back for base glyphs when attaching marks. If we
+       * don't limit, we can get O(n^2) behavior where n is the number of
+       * consecutive marks. */
+      stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH);
+
       while (idx > stop)
       {
 	idx--;

Source: GitHub HarfBuzz Commit

The patch introduces a limit using HB_MAX_CONTEXT_LENGTH to constrain the backward search, preventing the quadratic complexity by ensuring the lookback never exceeds a fixed maximum distance.

Detection Methods for CVE-2023-25193

Indicators of Compromise

  • Abnormally high CPU utilization during text rendering or font processing operations
  • Application hangs or freezes when processing documents containing unusual font sequences
  • Increased memory consumption in processes that handle text shaping
  • Slow response times in web browsers when rendering specific web pages with embedded fonts

Detection Strategies

  • Monitor for excessive CPU consumption in processes using HarfBuzz libraries (e.g., browser rendering engines, PDF processors)
  • Implement resource monitoring to detect processes exhibiting quadratic time complexity patterns
  • Deploy application-level logging to track font processing times and identify anomalous durations
  • Use software composition analysis (SCA) tools to identify vulnerable HarfBuzz versions in your environment

Monitoring Recommendations

  • Configure alerts for sustained high CPU usage in applications known to use HarfBuzz for text rendering
  • Implement timeouts for font processing operations to prevent indefinite resource consumption
  • Monitor network traffic for delivery of potentially malicious font files or documents
  • Deploy endpoint detection and response (EDR) solutions to identify denial of service patterns

How to Mitigate CVE-2023-25193

Immediate Actions Required

  • Update HarfBuzz to a version that includes the security patch (commit 85be877925ddbf34f74a1229f3ca1716bb6170dc or later)
  • Update Chromium-based browsers and other applications that bundle HarfBuzz
  • Apply available operating system and distribution patches (Fedora users should apply the relevant package updates)
  • Review and update any custom applications that directly integrate HarfBuzz

Patch Information

The vulnerability has been addressed in the official HarfBuzz commit which limits the backward search distance using HB_MAX_CONTEXT_LENGTH. Chromium has also updated its bundled HarfBuzz version as noted in the Chromium DEPS configuration. Fedora has released package updates addressing this vulnerability as documented in the Fedora package announcements.

Workarounds

  • Implement input validation to reject fonts or documents with an unusually high number of consecutive mark characters
  • Configure application-level timeouts to terminate font processing operations that exceed reasonable durations
  • Consider sandboxing font rendering processes to limit the impact of resource exhaustion attacks
  • Disable untrusted font loading where possible until patches can be applied
bash
# Check HarfBuzz version on Linux systems
pkg-config --modversion harfbuzz

# Verify if patched version is installed (Fedora)
rpm -q harfbuzz

# Update HarfBuzz on Fedora
sudo dnf update harfbuzz

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.