What is GHSA-c55g-rp4x-fx84?

GHSA-c55g-rp4x-fx84 is a security advisory published by GitHub Security Advisories with Medium severity. Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds

Why does GHSA-c55g-rp4x-fx84 have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by GHSA-c55g-rp4x-fx84?

GHSA-c55g-rp4x-fx84 affects 2 products, including: nuget/directxtk_desktop_win10:\u003c 2026.4.1.1; nuget/directxtk_uwp:\u003c 2026.4.1.1.

GHSA-c55g-rp4x-fx84MediumDisclosed before NVD

Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

📋 Description

### Impact The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE. This impacts the use of the *DirectX Tool Kit* **SpriteFont** class file loading ctor if given untrusted data files. > Note this only applies to x86/ARM builds of the library. ARM64 and x64 native is not subject to this issue. ### Patches This bug has been fixed in the May 7, 2026 release. Alternatively, users can update their copy of the reader as per [this commit](https://github.com/microsoft/DirectXTK/commit/ef1bd5d7f492c39dd0cd87493ba8ea38725c9791). ### Workarounds This does not apply if a project's .spritefont files are all 'trusted' data that were included with an application. It's primarily an issue only if developers are using user-provided or network downloaded spritefont files.

🎯 Affected products2

nuget/directxtk_desktop_win10:< 2026.4.1.1
nuget/directxtk_uwp:< 2026.4.1.1

📋 Description

🎯 Affected products2

🔗 References (4)