Home

Description

HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability. Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693.

PUBLISHED Reserved 2026-01-14 | Published 2026-01-19 | Updated 2026-01-20 | Assigner CPANSec

Problem types

CWE-1395 Dependency on Vulnerable Third-Party Component

Product status

Default status
unaffected

Any version before 0.032
affected

References

bugzilla.redhat.com/show_bug.cgi?id=2429296 issue-tracking

www.cve.org/CVERecord?id=CVE-2026-22693

metacpan.org/release/JV/HarfBuzz-Shaper-0.032/changes release-notes

cve.org (CVE-2026-0943)

nvd.nist.gov (CVE-2026-0943)

Download JSON