CVE-2022-35064 is a medium severity heap buffer overflow vulnerability identified in a specific commit (617837b) of the OTFCC project, which is a tool used for OpenType font manipulation. The vulnerability occurs in the function __asan_memset within the binary /release-x64/otfccdump at offset 0x4adcdb. This heap buffer overflow is classified under CWE-787, indicating that the software writes more data to a buffer located on the heap than it can hold, potentially leading to memory corruption. The vulnerability was discovered in the context of AddressSanitizer (ASan) instrumentation, which is used to detect memory errors. The CVSS v3.1 base score is 6.5, reflecting a medium severity level. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H indicates that the vulnerability is remotely exploitable over the network without privileges but requires user interaction. It does not impact confidentiality or integrity but causes a complete loss of availability (denial of service) due to the heap overflow. No known exploits are currently in the wild, and no patches or vendor information are provided, which suggests limited public exposure or vendor response at the time of publication. The lack of product and version details limits precise identification of affected deployments, but the vulnerability is specifically tied to the OTFCC tool used in font processing workflows.

For European organizations, the primary impact of CVE-2022-35064 is a potential denial of service (DoS) condition when processing malicious or malformed OpenType fonts using the vulnerable OTFCC tool. This could disrupt automated font processing pipelines, font validation, or font conversion services, particularly in industries relying heavily on digital publishing, graphic design, or document management. Since the vulnerability requires user interaction (e.g., opening or processing a crafted font file), targeted attacks could be delivered via email attachments, web downloads, or supply chain compromises involving font files. Although confidentiality and integrity are not directly impacted, availability loss could interrupt business operations, cause service outages, or degrade user experience. The absence of known exploits reduces immediate risk, but organizations using OTFCC in their toolchains should be cautious, especially if font files are received from untrusted sources. The impact is more pronounced in sectors with high reliance on font manipulation tools, such as media, publishing, and software development companies.

To mitigate CVE-2022-35064, European organizations should: 1) Identify and inventory all instances of the OTFCC tool within their environments, including build and deployment pipelines. 2) Restrict the processing of font files from untrusted or unknown sources, implementing strict file validation and sandboxing where possible. 3) Monitor for updates or patches from the OTFCC project or related maintainers and apply them promptly once available. 4) Employ runtime protections such as AddressSanitizer or other memory safety tools during development and testing to detect similar issues early. 5) Implement network and endpoint security controls to prevent delivery of malicious font files, including email filtering and endpoint detection and response (EDR) solutions. 6) Educate users about the risks of opening untrusted font files and enforce policies limiting user interaction with such files. 7) Consider alternative font processing tools with a stronger security track record if OTFCC is critical but unpatched.