Red Hat Product Errata RHSA-2026:8937 - Security Advisory Issued: 2026-04-20 Updated: 2026-04-20 RHSA-2026:8937 - Security Advisory Overview Updated Packages Synopsis Important: fontforge security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for fontforge is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description FontForge is a font editor for outline and bitmap fonts. It supports a range of font formats, including PostScript (ASCII and binary Type 1, some Type 3 and Type 0), TrueType, OpenType (Type2) and CID-keyed fonts. Security Fix(es): fontforge: FontForge: Remote Code Execution via heap-based buffer overflow in BMP file parsing (CVE-2025-15279) fontforge: FontForge: Remote Code Execution via Use-After-Free in SFD file parsing (CVE-2025-15269) fontforge: FontForge: Arbitrary code execution via SFD file parsing buffer overflow (CVE-2025-15275) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le Fixes BZ - 2426421 - CVE-2025-15279 fontforge: FontForge: Remote Code Execution via heap-based buffer overflow in BMP file parsing BZ - 2426423 - CVE-2025-15269 fontforge: FontForge: Remote Code Execution via Use-After-Free in SFD file parsing BZ - 2426429 - CVE-2025-15275 fontforge: FontForge: Arbitrary code execution via SFD file parsing buffer overflow CVEs CVE-2025-15269 CVE-2025-15275 CVE-2025-15279 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 SRPM fontforge-20120731b-14.el7_9.src.rpm SHA-256: c1630c981a6337cb18781ec51d9822a7ee37cf66fa48243d1e7ff5af8281b7e2 x86_64 fontforge-20120731b-14.el7_9.i686.rpm SHA-256: 7bd5210ff23f621318a38f96313c7bd9b9771ad770df6cf4957857ee4b06c12e fontforge-20120731b-14.el7_9.x86_64.rpm SHA-256: e82627f6ab9720212761beb8334f2a081ba0d75ef172944e4f5495fd5314e87a fontforge-debuginfo-20120731b-14.el7_9.i686.rpm SHA-256: 095e8f5da12f5e851128f356b5913181bef4df92917ee31946ec8e8fdbe991af fontforge-debuginfo-20120731b-14.el7_9.x86_64.rpm SHA-256: ffcdff2dcf47716cfe1da999039200e5f2b2d56aa98317e6974268f6d70fc4a7 fontforge-devel-20120731b-14.el7_9.i686.rpm SHA-256: 382869460d83683903b24e1fd5ca82b70083d548ef662e59eba69dfe108f593a fontforge-devel-20120731b-14.el7_9.x86_64.rpm SHA-256: 51d7176b941660bbb30dd21f715809dc6bb6a1301d9a1783cf74daed2602633a Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 SRPM fontforge-20120731b-14.el7_9.src.rpm SHA-256: c1630c981a6337cb18781ec51d9822a7ee37cf66fa48243d1e7ff5af8281b7e2 s390x fontforge-20120731b-14.el7_9.s390.rpm SHA-256: 9e5fd09958058fef6f85f9718639de1c9aab71a89099d572683eaf8237ae7c74 fontforge-20120731b-14.el7_9.s390x.rpm SHA-256: 9109b5b2795a96682a40d20d83b0b9bb55d416c1e99b8bfcd6a58f85963cac15 fontforge-debuginfo-20120731b-14.el7_9.s390.rpm SHA-256: 06898602ff4ed5516a23e3c0748997dc10cf5f6e3888ab8b447a6efdb20b4b1a fontforge-debuginfo-20120731b-14.el7_9.s390x.rpm SHA-256: d9c598c64a4f228579a052ebd74ad7c05856b750f3e53889e56eac5a9dd5968c fontforge-devel-20120731b-14.el7_9.s390.rpm SHA-256: e85f516384e03d3d705c6cf5461e0de13c8f28f875663902d4f1551ad5b2fd10 fontforge-devel-20120731b-14.el7_9.s390x.rpm SHA-256: 6e7be94a77242ba2060fea2496bcf5eaf443c7cc18d9c56d37a37cd4c9e72c7f Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 SRPM fontforge-20120731b-14.el7_9.src.rpm SHA-256: c1630c981a6337cb18781ec51d9822a7ee37cf66fa48243d1e7ff5af8281b7e2 ppc64 fontforge-20120731b-14.el7_9.ppc.rpm SHA-256: a5017e4615c1736f2b22e04db859792adb719f9370aa4a041c50503caf1eac7b fontforge-20120731b-14.el7_9.ppc64.rpm SHA-256: 2261f75d3cd76a3075a65d6d15947b42f24b9dfc65fd3f11553d8e6e09162ca1 fontforge-debuginfo-20120731b-14.el7_9.ppc.rpm SHA-256: c9cab3ad731c098ce6bed8b1450bf5b334fa9fb96f76fb84d28d7aad64bc0980 fontforge-debuginfo-20120731b-14.el7_9.ppc64.rpm SHA-256: a406db1b6a2ad4dfc73f0ca778c707418d09e16af42f86574f5ba950d2f1a711 fontforge-devel-20120731b-14.el7_9.ppc.rpm SHA-256: 0c60c1f3ba516baa27f4034efefafd41578a1261874044ec541d767358067575 fontforge-devel-20120731b-14.el7_9.ppc64.rpm SHA-256: aa53a6156dd207ab743dd2dbe98e1243c96d7c26c4b502496835f60335d1e25e Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 SRPM fontforge-20120731b-14.el7_9.src.rpm SHA-256: c1630c981a6337cb18781ec51d9822a7ee37cf66fa48243d1e7ff5af8281b7e2 ppc64le fontforge-20120731b-14.el7_9.ppc64le.rpm SHA-256: adb79078afc56c33316bdbde2d250b7a38ce760accf5ccf65ab257805225beff fontforge-debuginfo-20120731b-14.el7_9.ppc64le.rpm SHA-256: bc6bb0ebfbd7a9566462d8869230fd7ad29390ada3a57c13321c1e1d001c6f2a fontforge-devel-20120731b-14.el7_9.ppc64le.rpm SHA-256: e4e8982d010eec80141d72b034dff110f8c7e0a3377bd317c075c8a7b24ceb8b The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .