Back to KEVs

CVE-2025-27363

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font...

Basic Information

CVE State
PUBLISHED
Reserved Date
February 21, 2025
Published Date
March 11, 2025
Last Updated
May 07, 2025
Vendor
FreeType
Product
FreeType
Description
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
Tags
cisa

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-03-11 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2025-03-23 23:30:37 UTC) Source

References

https://www.facebook.com/security/advisories/cve-2025-27363

Known Exploited Vulnerability Information

Source Added Date
CVE 2025-03-11 00:00:00 UTC

Recent Mentions

CISA Adds One Known Exploited Vulnerability to Catalog

Source: All CISA Advisories • Published: 2025-05-06 12:00:00 UTC

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Google Fixes Actively Exploited Android System Flaw in May 2025 Security Update

Source: TheHackerNews • Published: 2025-05-06 05:46:00 UTC

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild. The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges. "The most severe of

Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers

Source: TheHackerNews • Published: 2025-05-06 05:46:00 UTC

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild. The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges. "The most severe of

Android May 2025 Security Update Fixes Actively Exploited FreeType Zero-Day

Source: CyberInsider • Published: 2025-05-05 18:59:40 UTC

Google’s Android security update for May 2025 patches a zero-day vulnerability in the FreeType font library that is currently being exploited in the wild, alongside dozens of high-severity flaws across the system, framework, and various hardware components. The zero-day, tracked as CVE-2025-27363, resides in the System component and stems from a memory handling bug in … The post Android May 2025 Security Update Fixes Actively Exploited FreeType Zero-Day appeared first on CyberInsider.

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

zhuowei/CVE-2025-27363-proof-of-concept

Type: github • Created: 2025-03-23 23:30:37 UTC • Stars: 6

Timeline

  • CVE ID Reserved

  • Added to KEVIntel

  • CVE Published to Public

  • Proof of Concept Exploit Available