What is GHSA-5r97-79vw-qvm4?

GHSA-5r97-79vw-qvm4 is a security advisory published by GitHub Security Advisories with Medium severity. Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds

Why does GHSA-5r97-79vw-qvm4 have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by GHSA-5r97-79vw-qvm4?

GHSA-5r97-79vw-qvm4 affects 2 products, including: nuget/directxtk12_desktop_win10:\u003c 2026.4.1.1; nuget/directxtk12_uwp:\u003c 2026.4.1.1.

GHSA-5r97-79vw-qvm4MediumDisclosed before NVD

Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

📋 Description

### Impact The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE. This impacts the use of the *DirectX Tool Kit* **SpriteFont** class file loading ctor if given untrusted data files. > Note this only applies to x86/ARM builds of the library. ARM64 and x64 native is not subject to this issue. ### Patches This bug has been fixed in the May 7, 2026 release. Alternatively, you can just update your copy of the reader as per [this commit](https://github.com/microsoft/DirectXTK12/commit/c037a024a7ed3b2162fa2bbbe209b84ba2904494). ### Workarounds This does not apply if a project's .spritefont files are all 'trusted' data that were included with an application. It's primarily an issue only if developers are using user-provided or network downloaded spritefont files.

🎯 Affected products2

nuget/directxtk12_desktop_win10:< 2026.4.1.1
nuget/directxtk12_uwp:< 2026.4.1.1

📋 Description

🎯 Affected products2

🔗 References (4)