CVE-2026-0943

CVE-2026-0943: HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability

Vendor Jv
Product HarfBuzz::Shaper
Weakness CWE-1395
Published January 19, 2026
Last update January 20, 2026

CVSS base score

What the vulnerability does

01Description

HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.  Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693.

Key dates

02Disclosure timeline

January 19, 2026 CVE published
January 20, 2026 Record updated