⚠ Actively exploited
Added to CISA KEV on 2025-05-06. Federal agencies required to patch by 2025-05-27. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-27363Out-of-bounds Write in External Freetype

CWE-787Out-of-bounds WriteCWE-131Incorrect Calculation of Buffer SizeCWE-190Integer Overflow or WraparoundCWE-1395Dependency on Vulnerable Third-Party ComponentCWE-195Signed to Unsigned Conversion Error29 documents18 sources
Severity
8.1HIGHNVD
OSV7.5
EPSS
70.3%
top 1.31%
CISA KEV
KEV
Added 2025-05-06
Due 2025-05-27
Exploit
No known exploits
Affected products
9
Platform External FreetypeFreetypeDebian Freetype+6 more
Timeline
PublishedMar 11
KEV addedMay 6
KEV dueMay 27
Latest updateMar 19
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary cod

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages11 packages

debiandebian/freetype< freetype 2.12.1+dfsg-5+deb12u4 (bookworm)
Androidplatform/external_freetype13:013:2025-05-01+1
Debianfreetype/freetype< 2.10.4+dfsg-1+deb11u2+3
Ubuntufreetype/freetype< 2.5.2-1ubuntu2.8+esm3+2
CVEListV5freetype/freetype0.0.02.13.0

Also affects: Debian Linux 11.0

🔴Vulnerability Details

7
GHSA
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version2026-03-19
OSV
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version2026-03-19
OSV
CVE-2025-27363: In load_truetype_glyph of ttgload2025-05-01
OSV
freetype vulnerabilities2025-03-17
OSV
CVE-2025-27363: An out of bounds write exists in FreeType versions 22025-03-11

📋Vendor Advisories

13
Oracle
Oracle Oracle Hyperion Risk Matrix: Install (FreeType) — CVE-2025-273632026-01-15
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Outside In Technology Installer in P6 (FreeType) — CVE-2025-273632025-10-15
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Text (FreeType) — CVE-2025-273632025-07-15
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS2025-07-09
CISA
FreeType Out-of-Bounds Write Vulnerability2025-05-06

🕵️Threat Intelligence

3
Qualys
Oracle Critical Patch Update, July 2025 Security Update Review2025-07-16
Qualys
Oracle Critical Patch Update, July 2025 Security Update Review | Qualys2025-07-16
Bleepingcomputer
Facebook discloses FreeType 2 flaw exploited in attacks2025-03-12

📐Framework References

4
CWE
Incorrect Calculation of Buffer Size
CWE
Integer Overflow or Wraparound
CWE
Out-of-bounds Write
CWE
Signed to Unsigned Conversion Error

💬Community

1
Bugzilla
CVE-2025-27363: out of bounds write exists in FreeType versions 2.13.0 and below [ESR-115]2025-05-07
CVE-2025-27363 — Out-of-bounds Write | cvebase