CVE-2026-22693: Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U

Exploit Status

Not Exploited

Patch Tuesday

2026-Jan

Released

2026-01-11

Last Updated

2026-01-20

EPSS Score

0.07% (percentile: 21.2%)

Affected Products (5)

Open Source Software

• azl3 harfbuzz 8.3.0-4 on Azure Linux 3.0
• cbl2 qt5-qtbase 5.12.11-19 on CBL Mariner 2.0

Mariner

• azl3 harfbuzz 8.3.0-3 on Azure Linux 3.0
• cbl2 harfbuzz 3.4.0-3 on CBL Mariner 2.0
• azl3 qtbase 6.6.3-4 on Azure Linux 3.0

Revision History

• 2026-01-11: Information published.
• 2026-01-13: Information published.
• 2026-01-13: Information published.
• 2026-01-15: Information published.
• 2026-01-20: Information published.