CVE-2025-27363 - Vulnerability Details

- freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files

Description

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Published: 2025-03-11

Score: 8.1 High

EPSS: 69.2% High

KEV: Yes

Impact:

Action:

Analysis

Impact

An out‑of‑bounds write occurs when FreeType 2.13.0 and earlier parse font subglyph structures in TrueType GX and variable font files. The code assigns a signed short to an unsigned long, causing a wrap‑around that allocates a buffer too small for the data. Up to six signed long integers are then written beyond the end of the buffer, enabling an attacker to influence control flow and achieve arbitrary code execution. This deficiency is a classic heap overflow (CWE‑787).

Affected Systems

The vulnerability impacts the FreeType library, which is bundled with many Linux distributions, including Red Hat Enterprise Linux 8 and 9, Red Hat OpenShift 4.12, and various Red Hat support streams. Any application or service that loads TrueType GX or variable font files via FreeType may be exposed.

Risk and Exploitability

With a CVSS score of 8.1 and an EPSS score of 69 %, the risk is high; the vulnerability is listed in the CISA KEV catalog, indicating that exploits have been observed in the wild. Attackers could target any user or process that processes manipulated font files, potentially leading to remote code execution. The likely vector is local or remote input of specially crafted font files to an affected application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeType

unaffected

Version	Status	Constraints
`0.0.0`	affected	≤ 2.13.0

Configuration 1 [-]

cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
freetype-0:2.8-15.el7_9.1	cpe:/o:redhat:rhel_els:7	RHSA-2025:3395	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8
mingw-freetype-0:2.8-3.el8_10.1	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:8292	2025-05-29T00:00:00Z
spice-client-win-0:8.10-1	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:8292	2025-05-29T00:00:00Z
freetype-0:2.9.1-10.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2025:3421	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
spice-client-win-0:8.2-1	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:9380	2025-06-23T00:00:00Z
freetype-0:2.9.1-5.el8_2.1	cpe:/o:redhat:rhel_aus:8.2	RHSA-2025:3393	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
spice-client-win-0:8.4-2	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:8253	2025-05-28T00:00:00Z
freetype-0:2.9.1-7.el8_4	cpe:/o:redhat:rhel_aus:8.4	RHSA-2025:3382	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
spice-client-win-0:8.4-2	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:8253	2025-05-28T00:00:00Z
freetype-0:2.9.1-7.el8_4	cpe:/o:redhat:rhel_tus:8.4	RHSA-2025:3382	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
spice-client-win-0:8.4-2	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:8253	2025-05-28T00:00:00Z
freetype-0:2.9.1-7.el8_4	cpe:/o:redhat:rhel_e4s:8.4	RHSA-2025:3382	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
spice-client-win-0:8.6-1	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:8219	2025-05-27T00:00:00Z
freetype-0:2.9.1-6.el8_6.3	cpe:/o:redhat:rhel_aus:8.6	RHSA-2025:3385	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
spice-client-win-0:8.6-1	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:8219	2025-05-27T00:00:00Z
freetype-0:2.9.1-6.el8_6.3	cpe:/o:redhat:rhel_tus:8.6	RHSA-2025:3385	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
spice-client-win-0:8.6-1	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:8219	2025-05-27T00:00:00Z
freetype-0:2.9.1-6.el8_6.3	cpe:/o:redhat:rhel_e4s:8.6	RHSA-2025:3385	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
mingw-freetype-0:2.8-3.el8_8.1	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:8195	2025-05-27T00:00:00Z
spice-client-win-0:8.8-5	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:8195	2025-05-27T00:00:00Z
freetype-0:2.9.1-10.el8_8	cpe:/o:redhat:rhel_eus:8.8	RHSA-2025:3386	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 9
freetype-0:2.10.4-10.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:3407	2025-03-31T00:00:00Z
freetype-0:2.10.4-10.el9_5	cpe:/o:redhat:enterprise_linux:9	RHSA-2025:3407	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
freetype-0:2.10.4-7.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:3387	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
freetype-0:2.10.4-10.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:3384	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
freetype-0:2.10.4-10.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:3383	2025-03-31T00:00:00Z
Red Hat OpenShift Container Platform 4.12
openshift4/network-tools-rhel8:v4.12.0-202503310133.p0.gc76613c.assembly.stream.el8	cpe:/a:redhat:openshift:4.12::el8	RHSA-2025:3573	2025-04-10T00:00:00Z
openshift4/ose-kuryr-cni-rhel8:v4.12.0-202503310133.p0.g8fd2f8b.assembly.stream.el8	cpe:/a:redhat:openshift:4.12::el8	RHSA-2025:3573	2025-04-10T00:00:00Z
openshift4/ose-kuryr-controller-rhel8:v4.12.0-202503310133.p0.g8fd2f8b.assembly.stream.el8	cpe:/a:redhat:openshift:4.12::el8	RHSA-2025:3573	2025-04-10T00:00:00Z
openshift4/ose-tests:v4.12.0-202503310133.p0.g893161e.assembly.stream.el8	cpe:/a:redhat:openshift:4.12::el8	RHSA-2025:3573	2025-04-10T00:00:00Z
openshift4/ose-tools-rhel8:v4.12.0-202503310133.p0.gd691257.assembly.stream.el8	cpe:/a:redhat:openshift:4.12::el8	RHSA-2025:3573	2025-04-10T00:00:00Z
rhcos-412.86.202503310142-0	cpe:/a:redhat:openshift:4.12::el8	RHSA-2025:3573	2025-04-10T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FreeType to at least version 2.13.1 or newer; this version removes the out‑of‑bounds write.
If an update cannot be applied immediately, reinstall the package to ensure the patched binary is used, or apply any vendor‑specific security patches that include an updated FreeType that blocks the vulnerability.
Restrict usage of TrueType GX and variable fonts by configuring applications to reject these file types or by removing them from source directories.
Monitor system logs for anomalous memory allocation failures or crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 01:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4104-1	freetype security update
Debian DSA	DSA-5880-1	freetype security update
Ubuntu USN	USN-7352-1	FreeType vulnerability
Ubuntu USN	USN-7352-2	FreeType vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since May 6, 2025.

The EPSS score is 0.69158.

Exploitation active

Automatable no

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/03/13/1
http://www.openwall.com/lists/oss-security/2025/03/13/11
http://www.openwall.com/lists/oss-security/2025/03/13/12
http://www.openwall.com/lists/oss-security/2025/03/13/2
http://www.openwall.com/lists/oss-security/2025/03/13/3
http://www.openwall.com/lists/oss-security/2025/03/13/8
http://www.openwall.com/lists/oss-security/2025/03/14/1
http://www.openwall.com/lists/oss-security/2025/03/14/2
http://www.openwall.com/lists/oss-security/2025/03/14/3
http://www.openwall.com/lists/oss-security/2025/03/14/4
http://www.openwall.com/lists/oss-security/2025/05/06/3
http://www.openwall.com/lists/oss-security/2026/04/16/5
http://www.openwall.com/lists/oss-security/2026/04/19/3
https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
https://nvd.nist.gov/vuln/detail/CVE-2025-27363
https://source.android.com/docs/security/bulletin/2025-05-01
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363
https://www.cve.org/CVERecord?id=CVE-2025-27363
https://www.facebook.com/security/advisories/cve-2025-27363

History

Sun, 19 Apr 2026 23:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/19/3

Thu, 16 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/16/5

Tue, 21 Oct 2025 23:15:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363

Tue, 21 Oct 2025 20:30:00 +0000

Type	Values Removed	Values Added
References	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363

Tue, 21 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.70718}`	epss `{'score': 0.71538}`

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.68423}`	epss `{'score': 0.70718}`

Tue, 24 Jun 2025 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2

Thu, 29 May 2025 19:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_tus:8.4

Wed, 28 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_tus:8.6

Thu, 08 May 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift
CPEs		cpe:/a:redhat:openshift:4.12::el8
Vendors & Products		Redhat openshift

Wed, 07 May 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux Freetype Freetype freetype
CPEs		cpe:2.3:a:freetype:freetype:::::::: cpe:2.3:o:debian:debian_linux:11.0:::::::*
Vendors & Products		Debian Debian debian Linux Freetype Freetype freetype

Wed, 07 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Tue, 06 May 2025 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2025-05-06'}`

Tue, 06 May 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/05/06/3

Tue, 06 May 2025 18:15:00 +0000

Type	Values Removed	Values Added
References		https://source.android.com/docs/security/bulletin/2025-05-01
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 02 Apr 2025 22:45:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html

Wed, 02 Apr 2025 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9 cpe:/o:redhat:rhel_aus:8.2 cpe:/o:redhat:rhel_aus:8.4 cpe:/o:redhat:rhel_aus:8.6 cpe:/o:redhat:rhel_e4s:8.4 cpe:/o:redhat:rhel_e4s:8.6 cpe:/o:redhat:rhel_els:7 cpe:/o:redhat:rhel_eus:8.8 cpe:/o:redhat:rhel_tus:8.4 cpe:/o:redhat:rhel_tus:8.6
Vendors & Products		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus

Fri, 14 Mar 2025 17:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/14/4

Fri, 14 Mar 2025 15:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/14/3

Fri, 14 Mar 2025 13:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/14/2

Fri, 14 Mar 2025 05:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/14/1

Fri, 14 Mar 2025 01:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/13/12

Thu, 13 Mar 2025 23:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/13/11

Thu, 13 Mar 2025 17:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/13/8

Thu, 13 Mar 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description	An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.	An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Thu, 13 Mar 2025 05:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/13/3

Thu, 13 Mar 2025 04:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/13/1 http://www.openwall.com/lists/oss-security/2025/03/13/2

Thu, 13 Mar 2025 02:00:00 +0000

Type	Values Removed	Values Added
Title		freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
References		https://nvd.nist.gov/vuln/detail/CVE-2025-27363 https://www.cve.org/CVERecord?id=CVE-2025-27363
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 11 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 11 Mar 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
References		https://www.facebook.com/security/advisories/cve-2025-27363
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H'}`

Subscriptions

Debian Debian Linux

Freetype Freetype

Redhat Enterprise Linux Openshift Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2025-03-11T13:28:31.705Z

Updated: 2026-04-19T22:08:52.695Z

Reserved: 2025-02-21T19:53:14.160Z

Link: CVE-2025-27363

Vulnrichment

Updated: 2026-04-19T22:08:52.695Z

NVD

Status : Analyzed

Published: 2025-03-11T14:15:25.427

Modified: 2026-04-20T13:15:39.743

Link: CVE-2025-27363

Redhat

Severity : Important

Publid Date: 2025-03-11T13:28:31Z

Links: CVE-2025-27363 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation active

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object