Unrated severityNVD Advisory· Published Oct 14, 2011· Updated Apr 29, 2026

CVE-2011-3256

Description

A memory corruption vulnerability in FreeType 2 before 2.4.7 allows arbitrary code execution or denial of service via a crafted font.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in FreeType 2 before 2.4.7 allows arbitrary code execution or denial of service via a crafted font.

Vulnerability

FreeType 2 versions before 2.4.7 contain a memory corruption vulnerability in the font parsing engine. The flaw is triggered when processing a specially crafted font file. This issue is distinct from CVE-2011-0226 and affects CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and other products that bundle FreeType [1][2][3].

Exploitation

An attacker can exploit this vulnerability by delivering a malicious font to the target system. This typically requires user interaction, such as viewing a document, visiting a web page, or receiving a message that renders the crafted font. No special network position or authentication is needed beyond the means to deliver the font to the application [1][2].

Impact

Successful exploitation results in memory corruption, which can lead to arbitrary code execution with the privileges of the affected application, or a denial of service (crash). In the context of iOS, this could allow remote code execution on the device [1][2].

Mitigation

Apple addressed this issue in iOS 5 (published October 12, 2011) and later in OS X Lion v10.7.3 and Security Update 2012-001 (released February 1, 2012) [1][2]. FreeType upstream released version 2.4.7 on October 18, 2011 to fix the vulnerability [3]. Users should update to these patched versions or apply vendor-specific updates.

References

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Iphone OS29 versions
cpe:2.3:o:apple:iphone_os:3.0:-:iphone:*:*:*:*:*+ 28 more
- cpe:2.3:o:apple:iphone_os:3.0:-:iphone:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1.2:-:iphone:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1.3:-:iphone:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1:-:iphone:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.1:-:ipodtouch:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2.1:-:ipad:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2:-:iphone:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:3.2:-:ipodtouch:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0.1:-:iphone:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0.1:-:ipodtouch:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0:-:iphone:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.0:-:ipodtouch:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.2.8:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.3.5:-:ipad:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:4.3.5:-:ipodtouch:*:*:*:*:*
FreeType/Freetypellm-fuzzy
Range: <2.4.7
osv-coords
pkg:rpm/opensuse/freetype2&distro=openSUSE%20Tumbleweed
Range: < 2.7-1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000