Out of Bounds Write Vulnerability in FreeType Software by FreeType Project
CVE-2025-27363

8.1HIGH

Key Information:

Vendor

Freetype

Status
Vendor
CVE Published:
11 March 2025

Badges

📈 Trended📈 Score: 2,940💰 Ransomware👾 Exploit Exists🟣 EPSS 63%🦅 CISA Reported📰 News Worthy

What is CVE-2025-27363?

CVE-2025-27363 is a vulnerability found in FreeType software versions 2.13.0 and below, which is a widely used library for rendering fonts on various platforms, including Android. This specific vulnerability is classified as an out-of-bounds write, which occurs when the software attempts to parse font subglyph structures relevant to TrueType GX and variable font files. The flaw arises from improper handling of signed and unsigned values within the code, leading to a scenario where a heap buffer is allocated too small to accommodate the data being written. Consequently, this allows attackers to write data outside the allocated buffer, potentially enabling arbitrary code execution.

Organizations utilizing FreeType, particularly in applications that process variable or TrueType fonts, could suffer significant negative impacts if this vulnerability is exploited. The exploitation could lead to unauthorized access, allowing attackers to execute arbitrary code, gain control over the affected systems, or compromise sensitive data. Given the broad deployment of FreeType across numerous platforms, its exploitation poses a risk not only to individual users but also to enterprises relying on software that integrates this font rendering library.

Potential impact of CVE-2025-27363

  1. Arbitrary Code Execution: The primary risk associated with CVE-2025-27363 is the potential for arbitrary code execution. Successful exploitation allows attackers to execute malicious code on the affected system, which could lead to further compromises, such as installing malware, exfiltrating sensitive data, or facilitating additional attacks on the network.

  2. Widespread Vulnerability Presence: FreeType is widely utilized across various software and hardware platforms, including mobile devices and web applications. This widespread integration means that the impact of the vulnerability could affect millions of devices, leading to a large attack surface that threat actors can exploit.

  3. Targeted Attacks on High-Value Individuals: The exploitation of CVE-2025-27363 may be particularly appealing to cybercriminals targeting high-profile individuals or organizations. Given that attacks can occur with no user interaction required, this vulnerability enables stealthy intrusions that can be leveraged to gather intelligence, steal credentials, or manipulate data without the user's awareness.

CISA has reported CVE-2025-27363

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-27363 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

FreeType 0.0.0 <= 2.13.0

News Articles

Week in review: The impact of a CVE-free future on cyber defense, Patch Tuesday forecast - Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: What a future without CVEs means for cyber defense For

1 week ago

Critical Android ‘No Interaction’ Attacks Confirmed By Google

No user interaction Android hack attacks underway — take action now.

2 weeks ago

Actively exploited FreeType flaw fixed in Android (CVE-2025-27363) - Help Net Security

Google released fixes for many Android vulnerabilities, including a FreeType flaw (CVE-2025-27363) "under limited, targeted exploitation."

2 weeks ago

References

EPSS Score

63% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🦅

    CISA Reported

  • 💰

    Used in Ransomware

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-27363 : Out of Bounds Write Vulnerability in FreeType Software by FreeType Project