🟢 CVE-2025-27363

CVE-2025-27363 is an out-of-bounds write vulnerability in FreeType versions 2.13.0 and below that allows arbitrary code execution when parsing malicious TrueType font files. While highly severe and actively exploited in the wild, this primarily affects client applications that process fonts rather than internet-facing servers.

← Back to Overview
LOW_RISK
Risk Level
8.1
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-03-11

Added to CISA KEV: 2025-05-06 56 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-27363 is a high-severity out-of-bounds write vulnerability in the FreeType font rendering library, which is widely used across various operating systems, including Android and Linux distributions [1] [6].

Vulnerability Overview
  • Root Cause: The vulnerability occurs when parsing font subglyph structures related to TrueType GX and variable font files [1]. It is caused by an improper cast of a signed short to an unsigned long, which, when combined with a static value addition, leads to an integer wraparound and the allocation of a heap buffer that is too small [1] [3].
  • Impact: Successful exploitation allows for remote code execution (RCE) on the affected system [3] [5].
Exploitation and Threat Landscape
  • Active Exploitation: The vulnerability was identified as being actively exploited in the wild, notably as an Android zero-day, and was patched by Google in the May 2025 security updates [2] [7].
  • Attacker Profile: While specific attribution remains limited, the nature of the exploitation suggests targeted campaigns, potentially involving state-sponsored actors or forensic firms [2]. There is no widespread evidence linking this to common ransomware campaigns.
  • Attack Method: Exploitation is triggered when a vulnerable system processes a malicious font file [3]. This can be achieved via network-based vectors (e.g., through browsers or document rendering) [3].
  • Exploit Availability: Public repositories and research documentation exist regarding the exploitation of this vulnerability, indicating that technical details and proof-of-concept research are available to security researchers [4].
Affected Versions and Mitigation
  • Affected Versions: FreeType versions 2.13.0 and below are vulnerable [1].
  • Patch Status: The vulnerability has been addressed in newer versions of FreeType [1]. Users are advised to update their systems, including Android devices and Linux distributions, to the latest available security patch levels to mitigate the risk [5] [7].

Sources

  1. NVD - CVE-2025-27363

    An official website of the United States government Here's how you know ... An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph ... CVE-2025-27363 Detail. Description. An out of bounds write exists…

  2. Google Patches Sneaky Android Zero-Day in May 2025... | Medium

    CVE-2025–27363 is the fifth Android zero-day patched in 2025, following a string of exploits like CVE-2024–53104 (USB Video Class driver) and CVE-2024–53197 (Linux kernel). Google’s transparency about exploitation is commendable, but the lack of details on attackers or targets suggests these are tar…

  3. CVE-2025-27363: FreeType Font Parsing RCE Vulnerability

    CVE-2025-27363 is a remote code execution vulnerability in FreeType 2.13.0 and below. Learn about its impact, affected versions, and mitigation methods.The root cause is the improper casting of a signed short to an unsigned long during buffer allocation, compounded by a wraparound due to an added st…

  4. tin-z/CVE-2025-27363 | DeepWiki

    This document provides an introduction to the CVE-2025-27363 exploitation repository, explains the scope of the vulnerability research, and outlines the major components and artifacts contained within. For detailed technical analysis of the vulnerability itself, see Vulnerability Analysis. For step-…

  5. Call for testing - FreeType CVE-2025-27363 - AlmaLinux

    Impact and Mitigation: The vulnerability is devious and highly-enough rated that we are pulling in the patches for testing ahead of our upstream ... UPDATE March 17th, 2025 - these patches have now been released to production for AlmaLinux users. The Announcement On Monday Meta announced a flaw in F…

  6. CVE-2025-27363 - Out-of-Bounds Write in FreeType <= 2.13.—What It Is ...

    CVE-2025-27363 is a high-severity security vulnerability discovered in FreeType, a widely used open-source font rendering engine. If you run Linux, Android, or software that displays custom fonts (including many browsers and graphics editors), you may be indirectly at risk. This vulnerability lurks…

  7. Security Patch for actively exploited CVE-2025-27363 : r/razr - Reddit

    There is an actively exploited security hole in the FreeType component of Android and other OSes, Google has a patch for it in the May security update.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed