Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds

GHSA-5r97-79vw-qvm4

Published May 18, 2026 · Modified May 18, 2026

Description

Impact

The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE.

This impacts the use of the DirectX Tool Kit SpriteFont class file loading ctor if given untrusted data files.

Note this only applies to x86/ARM builds of the library. ARM64 and x64 native is not subject to this issue.

Patches

This bug has been fixed in the May 7, 2026 release. Alternatively, you can just update your copy of the reader as per this commit.

Workarounds

This does not apply if a project's .spritefont files are all 'trusted' data that were included with an application. It's primarily an issue only if developers are using user-provided or network downloaded spritefont files.

References

WEB https://github.com/microsoft/DirectXTK12/security/advisories/GHSA-5r97-79vw-qvm4
WEB https://github.com/microsoft/DirectXTK12/commit/c037a024a7ed3b2162fa2bbbe209b84ba2904494
PACKAGE https://github.com/microsoft/DirectXTK12
WEB https://github.com/microsoft/DirectXTK12/releases/tag/may2026

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes