GHSA-c55g-rp4x-fx84: Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds

May 18, 2026

The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE.

This impacts the use of the DirectX Tool Kit SpriteFont class file loading ctor if given untrusted data files.

Note this only applies to x86/ARM builds of the library. ARM64 and x64 native is not subject to this issue.

References

github.com/advisories/GHSA-c55g-rp4x-fx84
github.com/microsoft/DirectXTK/commit/ef1bd5d7f492c39dd0cd87493ba8ea38725c9791
github.com/microsoft/DirectXTK/releases/tag/may2026
github.com/microsoft/DirectXTK/security/advisories/GHSA-c55g-rp4x-fx84

Code Behaviors & Features

Detect and mitigate GHSA-c55g-rp4x-fx84 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →