Out of Bounds Write Vulnerability in FreeType Software by FreeType Project
CVE-2025-27363

8.1HIGH

Key Information:

Vendor
Freetype
Status
Freetype
Vendor
CVE Published:
11 March 2025

Badges

📈 Trended📈 Score: 2,940💰 Ransomware👾 Exploit Exists📰 News Worthy

What is CVE-2025-27363?

CVE-2025-27363 is an out-of-bounds write vulnerability identified in the FreeType software, specifically affecting versions 2.13.0 and earlier. FreeType is an open-source software library designed to render fonts, widely used in various applications and platforms for displaying text. This vulnerability arises when the library attempts to process font subglyph structures, particularly in TrueType GX and variable font files. If exploited, it could allow attackers to execute arbitrary code, posing significant risks to organizations that rely on FreeType for font rendering in their applications.

Technical Details

The vulnerability stems from improper handling of data types within the FreeType library. During the parsing of font subglyph structures, a signed short value is incorrectly assigned to an unsigned long variable, leading to incorrect calculations that result in heap buffer allocation being too small. As a consequence, the library may write data beyond the allocated buffer, potentially affecting adjacent memory areas. This kind of out-of-bounds write can lead to several severe outcomes, including the execution of arbitrary code by an attacker.

Potential impact of CVE-2025-27363

  1. Arbitrary Code Execution: Exploiting this vulnerability allows attackers to run malicious code on the affected system, which can result in complete system compromise.

  2. Data Breaches: Once an attacker gains control through arbitrary code execution, they may access sensitive data, leading to potential data leaks or theft.

  3. System Instability: The exploitation may cause crashes or other erratic behaviors in applications relying on FreeType, potentially resulting in denial of service scenarios and impacting overall system reliability.

Affected Version(s)

FreeType 0.0.0 <= 2.13.0

News Articles

favicon imageCyberWire

Chinese threat actor targets Juniper routers. CISA issues advisory on Medusa ransomware.

Facebook warns of actively exploited FreeType vulnerability.

1 week ago

favicon imageSecurity Affairs

Meta warns of actively exploited flaw in FreeType library

Meta warned that a vulnerability, tracked as CVE-2025-27363, impacting the FreeType library may have been exploited in the wild.

2 weeks ago

favicon imageCybersecurityNews

Meta Warns of FreeType Vulnerability Exploited in Wild to Execute Arbitrary Code

A critical vulnerability in the widely used FreeType font rendering library has been discovered and is reportedly being exploited in the wild

2 weeks ago

References

https://www.facebook.com/security/advisories/cve-2025-27363
x_refsource_CONFIRM

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 💰

    Used in Ransomware

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.