Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds

GHSA-c55g-rp4x-fx84

Published May 18, 2026 · Modified May 18, 2026

Description

Impact

The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE.

This impacts the use of the DirectX Tool Kit SpriteFont class file loading ctor if given untrusted data files.

Note this only applies to x86/ARM builds of the library. ARM64 and x64 native is not subject to this issue.

Patches

This bug has been fixed in the May 7, 2026 release. Alternatively, users can update their copy of the reader as per this commit.

Workarounds

This does not apply if a project's .spritefont files are all 'trusted' data that were included with an application. It's primarily an issue only if developers are using user-provided or network downloaded spritefont files.

References

WEB https://github.com/microsoft/DirectXTK/security/advisories/GHSA-c55g-rp4x-fx84
WEB https://github.com/microsoft/DirectXTK/commit/ef1bd5d7f492c39dd0cd87493ba8ea38725c9791
PACKAGE https://github.com/microsoft/DirectXTK
WEB https://github.com/microsoft/DirectXTK/releases/tag/may2026

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes