CVE-2026-0943

NameCVE-2026-0943
DescriptionHarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.  Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libharfbuzz-shaper-perl (PTS)trixie0.031+ds-1fixed
forky, sid0.032+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libharfbuzz-shaper-perlsource(unstable)(not affected)

Notes

- libharfbuzz-shaper-perl <not-affected> (Vulnerable code not present)
Debian packaging HarfBuzz strips sources from upstream tarball since initial
upload to the archive.
https://lists.security.metacpan.org/cve-announce/msg/36208377/
Search for package or bug name: Reporting problems