PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50811 FreeType CVE debrief

CVE-2026-50811 is an out-of-bounds read vulnerability in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 in src/truetype/ttgxvar.c, in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates. This vulnerability has a medium defensive priority. Evidence is limited; verify affected scope with inventory checks and monitor for vendor remediation. The vulnerability exists in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates. Limited evidence is available; further verification is required.

Vendor
FreeType
Product
FreeType 2.14.3
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 should verify their affected scope and monitor for vendor remediation. This includes operators, platform administrators, vulnerability management teams, and security teams.

Technical summary

The vulnerability exists in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71. Limited evidence is available; further verification is required. Affected product deployments should be verified, and compensating controls should be reviewed. This includes operators, platform administrators, vulnerability management teams, and security teams. Evidence is limited; verify primary official records. Affected scope and vendor remediation status are unknown. Limited evidence suggests FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 are affected. Verify affected scope with inventory checks and monitor for vendor remediation status. Official CVE record and NVD details provide additional context.

Defensive priority

Medium

Recommended defensive actions

  • Verify affected scope with inventory checks
  • Monitor for vendor remediation
  • Implement compensating controls
  • Exception tracking and retest
  • Review official advisory or CVE record
  • Plan vendor-supported updates or mitigations
  • Check relevant monitoring, detection, and logs

Evidence notes

Evidence is limited; verify primary official records. Affected scope and vendor remediation status are unknown. Limited evidence suggests FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 are affected. Verify affected scope with inventory checks and monitor for vendor remediation status. Official CVE record and NVD details provide additional context.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T23:16:55.017Z and has not been modified since then.