CVE-2025-27363 : An out of bounds write exists in FreeType versions 2.13.0 and below (newer versi

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Published 2025-03-11 13:28:32

Updated 2025-05-07 16:00:56

Source Facebook, Inc.

View at NVD, CVE.org

Products affected by CVE-2025-27363

Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Freetype » Freetype
Versions up to, including, (<=) 2.13.0
cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*
Matching versions
Freetype » Freetype
Versions from including (>=) 0.0.0 and up to, including, (<=) 2.13.0
cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*
Matching versions

CVE-2025-27363 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

FreeType Out-of-Bounds Write Vulnerability

CISA required action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description:

FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.

Notes:

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2025-05-01 ; https://nv

Added on 2025-05-06 Action due date 2025-05-27

Exploit prediction scoring system (EPSS) score for CVE-2025-27363

EPSS FAQ

68.42%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2025-27363

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/...	N/A	N/A	Facebook, Inc.	2025-03-11
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	Facebook, Inc.	2025-03-11
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	NIST	2025-05-07
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2025-27363

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2025-27363

http://www.openwall.com/lists/oss-security/2025/03/13/11

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
http://www.openwall.com/lists/oss-security/2025/03/14/2

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
https://source.android.com/docs/security/bulletin/2025-05-01

Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/03/13/3

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
http://www.openwall.com/lists/oss-security/2025/03/14/3

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
http://www.openwall.com/lists/oss-security/2025/03/13/12

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html

Mailing List
http://www.openwall.com/lists/oss-security/2025/05/06/3

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
http://www.openwall.com/lists/oss-security/2025/03/14/1

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
https://www.facebook.com/security/advisories/cve-2025-27363

CVE-2025-27363
Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/03/14/4

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
http://www.openwall.com/lists/oss-security/2025/03/13/1

oss-security - CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
http://www.openwall.com/lists/oss-security/2025/03/13/8

oss-security - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0
Mailing List
http://www.openwall.com/lists/oss-security/2025/03/13/2

Mailing List