PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10244 Debian CVE debrief

CVE-2016-10244 is a FreeType font-parsing vulnerability in parse_charstrings that can read past heap memory when processing a crafted font missing a glyph name. NVD rates the issue HIGH and lists impact on confidentiality, integrity, and availability, although the CVSS vector also indicates user interaction is required. Systems that ingest untrusted fonts or ship bundled FreeType builds should prioritize patching.

Vendor
Debian
Product
CVE-2016-10244
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-06
Original CVE updated
2026-05-13
Advisory published
2017-03-06
Advisory updated
2026-05-13

Who should care

Administrators and developers who rely on FreeType, especially platforms that parse user-supplied fonts or embed FreeType in desktop, mobile, browser, document, or graphics workflows. Debian Linux 8.0 is listed among affected CPEs, so Debian-based fleets should verify package updates and backports.

Technical summary

NVD describes the flaw as a heap-based buffer over-read in type1/t1load.c:parse_charstrings because the code did not ensure that a font contained a glyph name. The affected FreeType range is before 2.7.1. The CVSS 3.0 vector in the NVD record is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which indicates exploitation requires user interaction and is assessed as having high impact once triggered.

Defensive priority

High. The issue is rated HIGH, affects a core parsing library, and is reachable through crafted font content. Prioritize environments that accept untrusted documents, images, or fonts, and verify whether FreeType is bundled inside applications rather than only installed as an OS package.

Recommended defensive actions

  • Upgrade FreeType to 2.7.1 or later, or apply the vendor package that contains the fix.
  • Inventory systems and applications that bundle FreeType, not just those using the system package.
  • Check Debian and other distro advisories for backported fixes if you cannot move to a newer upstream release immediately.
  • Reduce exposure to untrusted font files where practical, especially in parsing pipelines that process external content.
  • Validate that package managers, containers, and firmware images are rebuilt after the FreeType update.

Evidence notes

The NVD description states that parse_charstrings in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, leading to a heap-based buffer over-read or other impact. The NVD CPE data marks cpe:2.3:a:freetype:freetype:* with versionEndExcluding 2.7.1 as vulnerable, and also lists Debian Linux 8.0 as affected. The record’s CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Referenced materials include the FreeType ChangeLog for VER-2-7, Debian DSA-3839, and the Chromium OSS-Fuzz issue entry.

Official resources

Publicly disclosed in the CVE/NVD record on 2017-03-06. The NVD entry was later modified on 2026-05-13, but that is not the original disclosure date.