Out of Bounds Write Vulnerability in FreeType Software by FreeType Project
CVE-2025-27363
Key Information:
Badges
What is CVE-2025-27363?
CVE-2025-27363 is an out-of-bounds write vulnerability identified in the FreeType software, specifically affecting versions 2.13.0 and earlier. FreeType is an open-source software library designed to render fonts, widely used in various applications and platforms for displaying text. This vulnerability arises when the library attempts to process font subglyph structures, particularly in TrueType GX and variable font files. If exploited, it could allow attackers to execute arbitrary code, posing significant risks to organizations that rely on FreeType for font rendering in their applications.
Technical Details
The vulnerability stems from improper handling of data types within the FreeType library. During the parsing of font subglyph structures, a signed short value is incorrectly assigned to an unsigned long variable, leading to incorrect calculations that result in heap buffer allocation being too small. As a consequence, the library may write data beyond the allocated buffer, potentially affecting adjacent memory areas. This kind of out-of-bounds write can lead to several severe outcomes, including the execution of arbitrary code by an attacker.
Potential impact of CVE-2025-27363
-
Arbitrary Code Execution: Exploiting this vulnerability allows attackers to run malicious code on the affected system, which can result in complete system compromise.
-
Data Breaches: Once an attacker gains control through arbitrary code execution, they may access sensitive data, leading to potential data leaks or theft.
-
System Instability: The exploitation may cause crashes or other erratic behaviors in applications relying on FreeType, potentially resulting in denial of service scenarios and impacting overall system reliability.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
FreeType 0.0.0 <= 2.13.0
News Articles

Critical Android ‘No Interaction’ Attacks Confirmed By Google
No user interaction Android hack attacks underway — take action now.
2 days ago
Actively exploited FreeType flaw fixed in Android (CVE-2025-27363) - Help Net Security
Google released fixes for many Android vulnerabilities, including a FreeType flaw (CVE-2025-27363) "under limited, targeted exploitation."
2 days ago

May 2025 Android Security Bulletin Fixes 46 Vulnerabilities
Google's May 2025 Android Security Bulletin patches 46 flaws, including CVE-2025-27363—a high-risk vulnerability already exploited in targeted attacks.
2 days ago
References
EPSS Score
71% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 💰
Used in Ransomware
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved