CVE-2010-0421

Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.

Published: 2010-03-18 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2010-0421 is rated Moderate Risk (46.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.45%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2010-0421

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 1.66% 2.45% +0.79%
2 2025-03-30 3.09% 1.66% -1.43%
3 2025-03-29 3.09%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2010-0421

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2010-0421

OS Trackers for CVE-2010-0421

vendor priority summary link
debian not yet assigned CVE-2010-0421 not yet assigned priority: Debian including 1 source packages (pango1.0), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2010-0421
redhat medium https://access.redhat.com/security/cve/CVE-2010-0421
ubuntu low CVE-2010-0421 low priority: Ubuntu including 1 source packages (pango1.0), 8 status rows across 8 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, upstream): ignored 3, released 3, not-affected 2. https://ubuntu.com/security/CVE-2010-0421

Affected software / configurations for CVE-2010-0421

Vendor Product Version Raw CPE
gnome pango <= 1.27 cpe:2.3:a:gnome:pango:*:*:*:*:*:*:*:*

References for CVE-2010-0421

URL Tags
http://ftp.gnome.org/pub/GNOME/sources/pango/1.27/pango-1.27.1.tar.bz2 Patch
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://secunia.com/advisories/39041
http://securitytracker.com/id?1023711
http://www.debian.org/security/2010/dsa-2019
http://www.mandriva.com/security/advisories?name=MDVSA-2010:121
http://www.redhat.com/support/errata/RHSA-2010-0140.html
http://www.securityfocus.com/bid/38760
http://www.vupen.com/english/advisories/2010/0627
http://www.vupen.com/english/advisories/2010/0661
http://www.vupen.com/english/advisories/2010/1552
https://bugzilla.redhat.com/show_bug.cgi?id=555831
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9417
cvelogic Threat Intelligence