GHSA-5r97-79vw-qvm4: Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds

May 18, 2026

The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE.

This impacts the use of the DirectX Tool Kit SpriteFont class file loading ctor if given untrusted data files.

Note this only applies to x86/ARM builds of the library. ARM64 and x64 native is not subject to this issue.

References

github.com/advisories/GHSA-5r97-79vw-qvm4
github.com/microsoft/DirectXTK12/commit/c037a024a7ed3b2162fa2bbbe209b84ba2904494
github.com/microsoft/DirectXTK12/releases/tag/may2026
github.com/microsoft/DirectXTK12/security/advisories/GHSA-5r97-79vw-qvm4

Code Behaviors & Features

Detect and mitigate GHSA-5r97-79vw-qvm4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →