CVE-2025-27363
published 2025-03-11CVE-2025-27363: An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph…
PriorityP185high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-05-27
Exploited in the wild
EPSS
23.36%
97.5th percentile
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | freetype | < freetype 2.12.1+dfsg-5+deb12u4 (bookworm) | freetype 2.12.1+dfsg-5+deb12u4 (bookworm) |
| freetype | freetype | <= 2.13.0 | — |
| freetype | freetype | >= 0 < 2.10.4+dfsg-1+deb11u2 | 2.10.4+dfsg-1+deb11u2 |
| freetype | freetype | >= 0 < 2.12.1+dfsg-5+deb12u4 | 2.12.1+dfsg-5+deb12u4 |
| freetype | freetype | >= 0 < 2.13.1+dfsg-1 | 2.13.1+dfsg-1 |
| freetype | freetype | >= 0 < 2.13.1+dfsg-1 | 2.13.1+dfsg-1 |
| freetype | freetype | >= 0 < 2.5.2-1ubuntu2.8+esm3 | 2.5.2-1ubuntu2.8+esm3 |
| freetype | freetype | >= 0 < 2.6.1-0.1ubuntu2.5+esm2 | 2.6.1-0.1ubuntu2.5+esm2 |
| freetype | freetype | >= 0 < 2.8.1-2ubuntu2.2+esm1 | 2.8.1-2ubuntu2.2+esm1 |
| freetype | freetype | 0.0.0 – 2.13.0 | — |
| android | — | — | |
| msrc | cbl2_freetype_2.13.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_freetype_2.13.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_qt5-qtbase_5.12.11-16_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
| platform | external_freetype | >= 13:0 < 13:2025-05-01 | 13:2025-05-01 |
| platform | external_freetype | >= 14:0 < 14:2025-05-01 | 14:2025-05-01 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability triggers during parsing of TrueType GX and variable font files; monitor for suspicious font file loading (TTF/OTF with subglyph structures) in processes using FreeType versions 2.13.0 and below ↗
- →The exploit mechanism involves a signed short to unsigned long type confusion causing heap buffer wrap-around followed by up to 6 out-of-bounds signed long integer writes; heap spray or corruption patterns near font subglyph parsing code paths are indicative ↗
- →CVE-2025-27363 was addressed in Android's May 2025 security bulletin as a local code execution requiring no privileges or user interaction; flag unpatched Android devices and monitor for exploitation attempts via font rendering paths ↗
- →Restrict font file loading to trusted sources only and validate input font files to detect or block malformed font structures that could trigger the OOB write ↗
- ·Only FreeType versions up to and including 2.13.0 are vulnerable; versions newer than 2.13.0 (e.g., 2.13.3) are not affected. Older library versions may persist in software projects long after the fix was released (February 9, 2023). ↗
- ·The vulnerability affects a common open-source component used across many products (Linux, Android, game engines, GUI frameworks, online platforms); vendor-specific patching status must be checked individually. ↗
- ·Red Hat Enterprise Linux 10 freetype package is listed as Not Affected; RHEL 6 freetype is out of support scope. Java OpenJDK packages on Red Hat are also listed as Not Affected. ↗
- ·Oracle lists the vulnerability as remotely exploitable via HTTP in Oracle Fusion Middleware (FreeType component), indicating attack surface extends beyond local font rendering in some deployments. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vulncheck8.1HIGH
cisa8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_oracle8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
ghsa·2026-03-19·CVSS 8.1
CVE-2025-27363 [HIGH] CWE-1395 skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
### Impact
The Linux wheels for skia-python vendor a vulnerable version of
libfreetype that is affected by CVE-2025-27363 [1].
The root cause is a chain of unfortunate events:
1. skia-python builds wheels using pinned pypa/[email protected] [2]
2. cibuildwheel 2.21.3 in turn pins manylinux container images [3]
3. In these images, version 2.9.1-9.el8 of RedHat package freetype is
*preinstalled*. This package version is vulnerable and has since been
patched in 2.9.1-10.
4. During the skia-python Linux build, libfreetype is vendored from the
system, resulting in skia-python.libs/libfreetype-29a7443c.so.6.16.1
[ To find the provenance of your vendored libfreetype, we extracted the
8-character hash of th
OSV
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
osv·2026-03-19·CVSS 8.1
CVE-2025-27363 [HIGH] skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
### Impact
The Linux wheels for skia-python vendor a vulnerable version of
libfreetype that is affected by CVE-2025-27363 [1].
The root cause is a chain of unfortunate events:
1. skia-python builds wheels using pinned pypa/[email protected] [2]
2. cibuildwheel 2.21.3 in turn pins manylinux container images [3]
3. In these images, version 2.9.1-9.el8 of RedHat package freetype is
*preinstalled*. This package version is vulnerable and has since been
patched in 2.9.1-10.
4. During the skia-python Linux build, libfreetype is vendored from the
system, resulting in skia-python.libs/libfreetype-29a7443c.so.6.16.1
[ To find the provenance of your vendored libfreetype, we extracted the
8-character hash of th
OSV
CVE-2025-27363: In load_truetype_glyph of ttgload
osv·2025-05-01
CVE-2025-27363 CVE-2025-27363: In load_truetype_glyph of ttgload
In load_truetype_glyph of ttgload.c, there is a possible out of bounds write due to an integer overflow. This could lead to local code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
OSV
freetype vulnerabilities
osv·2025-03-17·CVSS 7.5
[HIGH] freetype vulnerabilities
freetype vulnerabilities
USN-7352-1 fixed a vulnerability in FreeType. This update provides the
corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. This
update also fixes an additional vulnerability in Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that FreeType incorrectly handled certain memory
operations when parsing font subglyph structures. A remote attacker could
use this issue to cause FreeType to crash, resulting in a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2025-27363)
Additional advisory details:
It was discovered that FreeType incorrectly handled certain memory
operations during typical execution. An attacker could possibly use
this issue to cause FreeType to cras
OSV
CVE-2025-27363: An out of bounds write exists in FreeType versions 2
osv·2025-03-11·CVSS 8.1
CVE-2025-27363 [HIGH] CVE-2025-27363: An out of bounds write exists in FreeType versions 2
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
GHSA
GHSA-g8qj-jv5h-78cp: An out of bounds write exists in FreeType versions 2
ghsa_unreviewed·2025-03-11
CVE-2025-27363 [HIGH] CWE-787 GHSA-g8qj-jv5h-78cp: An out of bounds write exists in FreeType versions 2
An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
VulnCheck
FreeType Out-of-Bounds Write Vulnerability
vulncheck·2025·CVSS 8.1
CVE-2025-27363 [HIGH] CWE-787 FreeType Out-of-Bounds Write Vulnerability
FreeType Out-of-Bounds Write Vulnerability
FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.
Affected: FreeType FreeType
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2025-27363; https://www.facebook.com/security/advisories/cve-2025-27363; https://cyberalerts.io/vulnerability/CVE-2025-27363; https://source.android.com/docs/security/bulletin/2025-05-01; https
Oracle
Oracle Oracle Hyperion Risk Matrix: Install (FreeType) — CVE-2025-27363
vendor_oracle·2026-01-15·CVSS 8.1
CVE-2025-27363 [HIGH] Oracle Oracle Hyperion Risk Matrix: Install (FreeType) — CVE-2025-27363
Oracle Oracle Hyperion Risk Matrix: Install (FreeType) vulnerability
CVE: CVE-2025-27363
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Outside In Technology Installer in P6 (FreeType) — CVE-2025-27363
vendor_oracle·2025-10-15·CVSS 8.1
CVE-2025-27363 [HIGH] Oracle Oracle Construction and Engineering Risk Matrix: Outside In Technology Installer in P6 (FreeType) — CVE-2025-27363
Oracle Oracle Construction and Engineering Risk Matrix: Outside In Technology Installer in P6 (FreeType) vulnerability
CVE: CVE-2025-27363
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2025 (OCT 2025)
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Text (FreeType) — CVE-2025-27363
vendor_oracle·2025-07-15·CVSS 7.5
CVE-2025-27363 [HIGH] Oracle Oracle Database Server Risk Matrix: Oracle Text (FreeType) — CVE-2025-27363
Oracle Oracle Database Server Risk Matrix: Oracle Text (FreeType) vulnerability
CVE: CVE-2025-27363
CVSS: 7.5
Protocol: Oracle Net
Remote exploit: No
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2023-38546 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
CISA
FreeType Out-of-Bounds Write Vulnerability
cisa·2025-05-06·CVSS 8.1
CVE-2025-27363 [HIGH] CWE-787 FreeType Out-of-Bounds Write Vulnerability
Vulnerability: FreeType Out-of-Bounds Write Vulnerability
Affected: FreeType FreeType
FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2025-05-01 ; https://nvd.nist.gov/vuln/detail/C
Android
CVE-2025-27363: Android Security Bulletin 2025-05-01
CVE: CVE-2025-27363
Severity: HIGH
Type: RCE
Affected AOSP versions: 13, 14
References: A-399065987
vendor_android·2025-05-01·CVSS 8.1
CVE-2025-27363 [HIGH] CVE-2025-27363: Android Security Bulletin 2025-05-01
CVE: CVE-2025-27363
Severity: HIGH
Type: RCE
Affected AOSP versions: 13, 14
References: A-399065987
Android Security Bulletin 2025-05-01
CVE: CVE-2025-27363
Severity: HIGH
Type: RCE
Affected AOSP versions: 13, 14
References: A-399065987
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: DC-Specific Component (FreeType) — CVE-2025-27363
vendor_oracle·2025-04-15·CVSS 8.1
CVE-2025-27363 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: DC-Specific Component (FreeType) — CVE-2025-27363
Oracle Oracle Fusion Middleware Risk Matrix: DC-Specific Component (FreeType) vulnerability
CVE: CVE-2025-27363
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2025 (APR 2025)
BSD
OpenBSD 7.5 Errata 020: SECURITY FIX
bsd_advisories·2025-03-25·CVSS 8.1
CVE-2025-27363 [HIGH] OpenBSD 7.5 Errata 020: SECURITY FIX
OpenBSD 7.5 Errata 020: SECURITY FIX
020: SECURITY FIX: March 25, 2025
All architectures Prevent out-of-bounds write in FreeType heap. CVE-2025-27363
Ubuntu
FreeType vulnerabilities
vendor_ubuntu·2025-03-17·CVSS 7.5
CVE-2022-27406 [HIGH] FreeType vulnerabilities
Title: FreeType vulnerabilities
Summary: Several security issues were fixed in FreeType.
USN-7352-1 fixed a vulnerability in FreeType. This update provides the
corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. This
update also fixes an additional vulnerability in Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that FreeType incorrectly handled certain memory
operations when parsing font subglyph structures. A remote attacker could
use this issue to cause FreeType to crash, resulting in a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2025-27363)
Additional advisory details:
It was discovered that FreeType incorrectly handled certain memory
operations during typical execution. An
Ubuntu
FreeType vulnerability
vendor_ubuntu·2025-03-17
CVE-2025-27363 FreeType vulnerability
Title: FreeType vulnerability
Summary: FreeType could be made to crash or run programs if it opened a specially
crafted font file.
It was discovered that FreeType incorrectly handled certain memory
operations when parsing font subglyph structures. A remote attacker could
use this issue to cause FreeType to crash, resulting in a denial of
service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
vendor_redhat·2025-03-11·CVSS 8.1
CVE-2025-27363 [HIGH] CWE-787 freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
A flaw was found in FreeType. In affected versions, an out-of-bounds write condition may be triggered when attem
Microsoft
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variabl
vendor_msrc·2025-03-11·CVSS 8.1
CVE-2025-27363 [HIGH] CWE-787 An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variabl
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro
Debian
CVE-2025-27363: freetype - An out of bounds write exists in FreeType versions 2.13.0 and below (newer versi...
vendor_debian·2025·CVSS 8.1
CVE-2025-27363 [HIGH] CVE-2025-27363: freetype - An out of bounds write exists in FreeType versions 2.13.0 and below (newer versi...
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
Scope: local
bookworm: resolved (fixed in 2.12.1+dfsg-5+deb12u4)
bullseye: resolved (fixed in 2.10.4+dfsg-1+deb11u2)
forky: resolved (fixed in 2.13.1+dfsg-1)
sid: resolved (fixed in 2.13.1+dfsg-1)
trixie: resolved (fixed in 2.13.1+
No detection rules found.
No public exploits indexed.
Qualys
Oracle Critical Patch Update, July 2025 Security Update Review
blogs_qualys·2025-07-16
Oracle Critical Patch Update, July 2025 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Oracle released its second quarterly edition of this year’s Critical Patch Update. The update received patches for 309 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 84, constituting about 27% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 40 and 36 security patches.
228 of the 309 security patches provided by the July Critical Patch Update (about 74%) are for non-Oracle CVEs, su
Qualys
Oracle Critical Patch Update, July 2025 Security Update Review | Qualys
blogs_qualys·2025-07-16
Oracle Critical Patch Update, July 2025 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
Oracle released its second quarterly edition of this year’s Critical Patch Update. The update received patches for 309 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 84, constituting about 27% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 40 and 36 security patches.
228 of the 309 security patches provided by the July Critical Patch Update (about 74%) are for non-Oracle CVE
Checkpoint
12th May – Threat Intelligence Report
blogs_checkpoint·2025-05-12
CVE-2025-27363 12th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The UK’s Legal Aid Agency has suffered a cyberattack. The agency, which operates under the Ministry of Justice to provide billions in legal aid funding, has stated that financial information relating to legal aid providers may have been accessed by a third party.
UK based Education giant Pearson disclosed it had suffered a cyber
Bleepingcomputer
Facebook discloses FreeType 2 flaw exploited in attacks
blogs_bleepingcomputer·2025-03-12·CVSS 8.1
[HIGH] Facebook discloses FreeType 2 flaw exploited in attacks
## Facebook discloses FreeType 2 flaw exploited in attacks
## Bill Toulas
Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks.
FreeType is a popular open-source font rendering library used to display text and programmatically add text to images. It provides functionality to load, rasterize, and render fonts in various formats, such as TrueType (TTF), OpenType (OTF), and others.
The library is installed in millions of systems and services, including Linux, Android, game engines, GUI frameworks, and online platforms.
The vulnerability, tracked under CVE-2025-27363 and given a CVSS v3 severity score of 8.1 ("high"), was fixed in FreeType version 2.13.0 on February 9th,
Bugzilla
CVE-2025-27363: out of bounds write exists in FreeType versions 2.13.0 and below [ESR-115]
bugzilla·2025-05-07·CVSS 8.1
CVE-2025-27363 [HIGH] CVE-2025-27363: out of bounds write exists in FreeType versions 2.13.0 and below [ESR-115]
CVE-2025-27363: out of bounds write exists in FreeType versions 2.13.0 and below [ESR-115]
https://www.facebook.com/security/advisories/cve-2025-27363
> Description: An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
Per https://security-tracker.debian.org/tracker/CVE-2025-27363:
Bugzilla
CVE-2025-27363 freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
bugzilla·2025-03-11·CVSS 8.1
CVE-2025-27363 [HIGH] CVE-2025-27363 freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
CVE-2025-27363 freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Red
CWE
Incorrect Calculation of Buffer Size
mitre_cwe
CWE-131 Incorrect Calculation of Buffer Size
CWE-131: Incorrect Calculation of Buffer Size
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Availability, Confidentiality. Impact: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory. If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data.
Detection Methods:
Automated Static Analysis: This
CWE
Integer Overflow or Wraparound
mitre_cwe
CWE-190 Integer Overflow or Wraparound
CWE-190: Integer Overflow or Wraparound
The product performs a calculation that can
produce an integer overflow or wraparound when the logic
assumes that the resulting value will always be larger than
the original value. This occurs when an integer value is
incremented to a value that is too large to store in the
associated representation. When this occurs, the value may
become a very small or negative number.
Modes of Introduction:
Phase: Implementation
Note: This weakness may become security critical when determining the offset or size in behaviors such as memory allocation, copying, and concatenation.
Common Consequences:
Scope: Availability. Impact: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Memory), DoS: Instability. This weakness can generally lead to undefined behav
CWE
Out-of-bounds Write
mitre_cwe
CWE-787 Out-of-bounds Write
CWE-787: Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Memory, Execute Unauthorized Code or Commands. Write operations could cause memory corruption. In some cases, an adversary can modify control data such as return addresses in order to execute unexpected code.
Scope: Availability. Impact: DoS: Crash, Exit, or Restart. Attempting to access out-of-range, invalid, or unauthorized memory could cause the product to crash.
Scope: Other. Impact: Unexpected State. Subsequent write operations can produce undefined or unexpected results.
Detection Methods:
Automated Static Analysis: This weakness can often be detected using automated s
CWE
Signed to Unsigned Conversion Error
mitre_cwe
CWE-195 Signed to Unsigned Conversion Error
CWE-195: Signed to Unsigned Conversion Error
The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate assumptions made by the program. Often, functions will return negative values to indicate a failure. When the result of a function is to be used as a size parameter, using these negative return values can have unexpected results. For example, if negative size values are passed to the standard memory copy or allocation functions they will be implicitly cast to a large unsigned value. This may lead to
https://www.facebook.com/security/advisories/cve-2025-27363http://www.openwall.com/lists/oss-security/2025/03/13/1http://www.openwall.com/lists/oss-security/2025/03/13/11http://www.openwall.com/lists/oss-security/2025/03/13/12http://www.openwall.com/lists/oss-security/2025/03/13/2http://www.openwall.com/lists/oss-security/2025/03/13/3http://www.openwall.com/lists/oss-security/2025/03/13/8http://www.openwall.com/lists/oss-security/2025/03/14/1http://www.openwall.com/lists/oss-security/2025/03/14/2http://www.openwall.com/lists/oss-security/2025/03/14/3http://www.openwall.com/lists/oss-security/2025/03/14/4http://www.openwall.com/lists/oss-security/2025/05/06/3http://www.openwall.com/lists/oss-security/2026/04/16/5http://www.openwall.com/lists/oss-security/2026/04/19/3https://lists.debian.org/debian-lts-announce/2025/03/msg00030.htmlhttps://source.android.com/docs/security/bulletin/2025-05-01https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363
2025-03-11
Published
2025-05-06
Added to CISA KEV
Exploited in the wild