CVE-2026-0943 identifies a vulnerability in the JV project's HarfBuzz::Shaper Perl module versions before 0.032. The root cause is a null pointer dereference within the bundled HarfBuzz library (version 8.4.0 or earlier), which is included as hb_src.tar.gz in the source tarball. This underlying HarfBuzz vulnerability is tracked as CVE-2026-22693. The null pointer dereference can be triggered remotely without any authentication or user interaction, resulting in a denial of service by crashing the application or service using the affected library. HarfBuzz is a widely used text shaping engine critical for rendering complex scripts and fonts in many software applications, including web browsers, document processors, and UI frameworks. The dependency on a vulnerable third-party component (CWE-1395) highlights the risk of inherited vulnerabilities through bundled libraries. The CVSS v3.1 score of 7.5 reflects the high impact on availability with network attack vector, low attack complexity, and no privileges or user interaction required. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. Organizations using HarfBuzz::Shaper in Perl environments should verify their versions and update to 0.032 or later, which includes an updated HarfBuzz library free from this flaw.

The primary impact of CVE-2026-0943 is denial of service, which can disrupt applications relying on HarfBuzz::Shaper for text rendering. For European organizations, this could affect web services, document processing systems, and any software that integrates Perl bindings for HarfBuzz, potentially causing service outages or degraded user experience. Industries such as publishing, software development, and any sector relying on complex text rendering (e.g., multilingual support) are at risk. The vulnerability does not compromise confidentiality or integrity but can cause availability issues, leading to operational disruptions and potential reputational damage. Since exploitation requires no authentication and can be triggered remotely, attackers could leverage this vulnerability to disrupt critical services. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code could emerge. European organizations with extensive use of open-source software and Perl modules should be vigilant, as the dependency on vulnerable third-party components is a common supply chain risk.

1. Upgrade HarfBuzz::Shaper to version 0.032 or later, which includes an updated HarfBuzz library that addresses the null pointer dereference vulnerability. 2. Audit all software dependencies to identify bundled or linked versions of HarfBuzz 8.4.0 or earlier and update them accordingly. 3. Implement runtime protections such as application-level monitoring and crash detection to quickly identify and respond to denial of service conditions. 4. Employ network-level protections like rate limiting and anomaly detection to mitigate potential exploitation attempts. 5. For organizations unable to immediately upgrade, consider isolating affected services or applying temporary workarounds such as input validation or disabling vulnerable features if feasible. 6. Maintain an inventory of all Perl modules and third-party libraries to improve supply chain visibility and facilitate rapid response to similar vulnerabilities. 7. Monitor security advisories for updates or patches related to CVE-2026-0943 and CVE-2026-22693 to apply fixes promptly.