Re: Null Pointer Dereference in HarfBuzz

[Greg KH <greg () kroah com>]

On Mon, Jan 12, 2026 at 10:42:33AM +0100, Jan Engelhardt wrote:
> On Monday 2026-01-12 04:09, Jacob Bachmeyer wrote:
> > In short, this is a crash bug, but not a security issue.  This is different
> > from (for example) a parser bug that results in NULL being dereferenced if
> > crafted input is processed.
> >
> > Are we now using CVE IDs as some kind of global bug tracker?
>
> Isn't that how the Linux kernel works these days,
> as per <https://docs.kernel.org/process/cve.html>:
>
> "almost any bug might be exploitable to compromise the security of
> the kernel, but the possibility of exploitation is often not evident
> when the bug is fixed"

The kernel might be a bit "different" here, given that any type of bug
that happens at the level of Linux can cause a system failure (i.e.
vulnerability), while I don't know if harfbuzz is at that same level
(i.e. does it claim to support any invalid input, like the kernel does?)

thanks,

greg k-h