cbcvebase.
CVE-2025-27363
published 2025-03-11

CVE-2025-27363: An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph…

PriorityP185high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-05-27
Exploited in the wild
EPSS
23.36%
97.5th percentile
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianfreetype< freetype 2.12.1+dfsg-5+deb12u4 (bookworm)freetype 2.12.1+dfsg-5+deb12u4 (bookworm)
freetypefreetype<= 2.13.0
freetypefreetype>= 0 < 2.10.4+dfsg-1+deb11u22.10.4+dfsg-1+deb11u2
freetypefreetype>= 0 < 2.12.1+dfsg-5+deb12u42.12.1+dfsg-5+deb12u4
freetypefreetype>= 0 < 2.13.1+dfsg-12.13.1+dfsg-1
freetypefreetype>= 0 < 2.13.1+dfsg-12.13.1+dfsg-1
freetypefreetype>= 0 < 2.5.2-1ubuntu2.8+esm32.5.2-1ubuntu2.8+esm3
freetypefreetype>= 0 < 2.6.1-0.1ubuntu2.5+esm22.6.1-0.1ubuntu2.5+esm2
freetypefreetype>= 0 < 2.8.1-2ubuntu2.2+esm12.8.1-2ubuntu2.2+esm1
freetypefreetype0.0.0 – 2.13.0
googleandroid
msrccbl2_freetype_2.13.0-1_on_cbl_mariner_2.0
msrccbl2_freetype_2.13.1-1_on_cbl_mariner_2.0
msrccbl2_qt5-qtbase_5.12.11-16_on_cbl_mariner_2.0
paloaltopan-os
platformexternal_freetype>= 13:0 < 13:2025-05-0113:2025-05-01
platformexternal_freetype>= 14:0 < 14:2025-05-0114:2025-05-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability triggers during parsing of TrueType GX and variable font files; monitor for suspicious font file loading (TTF/OTF with subglyph structures) in processes using FreeType versions 2.13.0 and below
  • The exploit mechanism involves a signed short to unsigned long type confusion causing heap buffer wrap-around followed by up to 6 out-of-bounds signed long integer writes; heap spray or corruption patterns near font subglyph parsing code paths are indicative
  • CVE-2025-27363 was addressed in Android's May 2025 security bulletin as a local code execution requiring no privileges or user interaction; flag unpatched Android devices and monitor for exploitation attempts via font rendering paths
  • Restrict font file loading to trusted sources only and validate input font files to detect or block malformed font structures that could trigger the OOB write
  • ·Only FreeType versions up to and including 2.13.0 are vulnerable; versions newer than 2.13.0 (e.g., 2.13.3) are not affected. Older library versions may persist in software projects long after the fix was released (February 9, 2023).
  • ·The vulnerability affects a common open-source component used across many products (Linux, Android, game engines, GUI frameworks, online platforms); vendor-specific patching status must be checked individually.
  • ·Red Hat Enterprise Linux 10 freetype package is listed as Not Affected; RHEL 6 freetype is out of support scope. Java OpenJDK packages on Red Hat are also listed as Not Affected.
  • ·Oracle lists the vulnerability as remotely exploitable via HTTP in Oracle Fusion Middleware (FreeType component), indicating attack surface extends beyond local font rendering in some deployments.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vulncheck8.1HIGH
cisa8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_oracle8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.