KEVIntel
Back to KEVs
8.1
CVSS
High

CVE-2025-27363

PUBLISHED

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font...

Exploited in the wild PoC available Remote No user interaction
Vendor
FreeType
Product
FreeType
Published
Mar 11, 2025
EPSS
70.8% · 99% pctl

Description

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

cisa

CVSS scores

CVSS v3.1 8.1 High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2025-05-16 08:36:38 UTC · Source

Proof of concept available

Recorded 2025-03-23 23:30:37 UTC · Source

SSVC decision points

Exploitation
active
Automatable
No
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Jun 02, 2026
CyberInsider May 06, 2025

Recent mentions

Google Fixes Actively Exploited Android System Flaw in May 2025 Security Update

TheHackerNews · May 06, 2025

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild. The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges. "The most severe of

Android May 2025 Security Update Fixes Actively Exploited FreeType Zero-Day

CyberInsider · May 05, 2025

Google’s Android security update for May 2025 patches a zero-day vulnerability in the FreeType font library that is currently being exploited in the wild, alongside dozens of high-severity flaws across the system, framework, and various hardware components. The zero-day, tracked as CVE-2025-27363, resides in the System component and stems from a memory handling bug in … The post Android May 2025 Security Update Fixes Actively Exploited FreeType Zero-Day appeared first on CyberInsider.

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

zhuowei/CVE-2025-27363-proof-of-concept

github · Created 2025-03-23 23:30:37 UTC · 6 stars

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • Added to KEVIntel