CVE-2025-23022

[ogipierogi]

Hello,
Our security scanners detected CVE-2025-23022 vulnerability in SAP Machine we use.
Namely in:

• 11.0.26
• 17.0.14
• 21.0.6

versions for the freetype component under:

• usr/java/sapmachine-11/jmods/java.desktop.jmod
• usr/java/sapmachine-11/lib/libfreetype.so
• usr/java/sapmachine-17/jmods/java.desktop.jmod
• usr/java/sapmachine-17/lib/libfreetype.so
• usr/java/sapmachine-21/jmods/java.desktop.jmod
• usr/java/sapmachine-21/lib/libfreetype.so

But the version of freetype bundled with SAP Machine is not specified.
Could you please confirm which freetype version is used and whether it is false-positive or true-positive finding?