CVE-2025-27363

Name
CVE-2025-27363
Description
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://www.facebook.com/security/advisories/cve-2025-27363
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/13/1
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/13/2
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/13/3
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/13/8
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/13/11
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/13/12
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/14/1
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/14/2
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/14/3
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/03/14/4
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
134c704f-9b21-4f2e-91b3-4a467353bcc0 https://source.android.com/docs/security/bulletin/2025-05-01
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/05/06/3
134c704f-9b21-4f2e-91b3-4a467353bcc0 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363

Match rules

CPE URI Source package Min version Max version
freetype >= 0.0.0 <= 2.13.0
cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:* freetype >= None <= 2.13.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
freetype edge-main 2.13.1-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
freetype edge-main 2.12.1-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
freetype edge-main 2.10.4-r0 None possibly vulnerable
freetype edge-main 2.9-r1 None possibly vulnerable
freetype edge-main 2.7.1-r1 None possibly vulnerable
freetype 3.22-main 2.13.1-r0 None fixed
freetype 3.22-main 2.12.1-r0 None possibly vulnerable
freetype 3.22-main 2.10.4-r0 None possibly vulnerable
freetype 3.22-main 2.9-r1 None possibly vulnerable
freetype 3.22-main 2.7.1-r1 None possibly vulnerable
freetype 3.21-main 2.12.1-r0 None possibly vulnerable
freetype 3.21-main 2.10.4-r0 None possibly vulnerable
freetype 3.21-main 2.9-r1 None possibly vulnerable
freetype 3.21-main 2.7.1-r1 None possibly vulnerable
freetype 3.20-main 2.12.1-r0 None possibly vulnerable
freetype 3.20-main 2.10.4-r0 None possibly vulnerable
freetype 3.20-main 2.9-r1 None possibly vulnerable
freetype 3.20-main 2.7.1-r1 None possibly vulnerable
freetype 3.19-main 2.12.1-r0 None possibly vulnerable
freetype 3.19-main 2.10.4-r0 None possibly vulnerable
freetype 3.19-main 2.9-r1 None possibly vulnerable
freetype 3.19-main 2.7.1-r1 None possibly vulnerable