What is the CVSS score of CVE-2025-27363?

CVE-2025-27363 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 76.2%.

Which versions of FreeType are affected by CVE-2025-27363?

FreeType 2.13.0 and earlier contains a critical heap buffer overflow vulnerability (CVE-2025-27363) enabling unauthenticated remote code execution through maliciously crafted TrueType variable fonts.. A patch is available.

Is CVE-2025-27363 being actively exploited?

Yes, CVE-2025-27363 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-27363?

Within 24 hours: Identify all systems and applications running FreeType 2.13.0 or earlier (including dependency scans of Android devices, Debian/Ubuntu systems, and embedded font rendering libraries); communicate patch requirement to stakeholders. Within 7 days: Deploy vendor patches to upgrade FreeType to versions after 2.13.0 across all affected infrastructure, prioritizing Internet-facing systems and mobile device management (MDM) for Android fleets. Within 30 days: Complete patching verification across all identified endpoints; implement application whitelisting for font file sources and conduct retrospective log analysis for exploitation artifacts (malformed font file processing errors).

FreeType CVE-2025-27363

HIGH

Out-of-bounds Write (CWE-787)

2025-03-11 cve-assign@fb.com

RCE Buffer Overflow Memory Corruption

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 20, 2026 - 13:30 vuln.today

v4 (cvss_changed)

Analysis Updated

Apr 19, 2026 - 23:29 vuln.today

v3 (cvss_changed)

Analysis Updated

Apr 17, 2026 - 13:43 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 16, 2026 - 19:22 vuln.today

cvss_changed

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 19:52 vuln.today

Added to CISA KEV

Oct 27, 2025 - 17:06 cisa

CISA KEV

CVE Published

Mar 11, 2025 - 14:15 nvd

HIGH 8.1

DescriptionNVD

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

AnalysisAI

Arbitrary code execution in FreeType 2.13.0 and earlier via heap buffer overflow when parsing TrueType GX/variable font subglyph structures. Confirmed actively exploited in the wild (CISA KEV). Attack requires high complexity but no authentication, affecting widespread deployments including Android, Debian, and applications embedding FreeType for font rendering. EPSS score of 76.15% (99th percentile) reflects significant real-world exploitation risk. Vendor patches available; immediate upgrade to post-2.13.0 versions critical.

Technical ContextAI

FreeType is a widely-deployed open-source font rendering library used in Android, Linux distributions, browsers, and numerous applications requiring text rendering. This vulnerability (CWE-787: Out-of-bounds Write) occurs in FreeType's TrueType GX and variable font parsing code when processing subglyph structures. The flaw involves a type confusion error where a signed short value is incorrectly assigned to an unsigned long variable, then incremented by a static value. This integer wrapping causes miscalculation of required heap buffer size. Subsequently, the code writes up to six signed long integers (24-48 bytes) beyond the undersized buffer boundary, enabling heap memory corruption. TrueType GX and variable fonts use advanced OpenType/TrueType features for glyph variations and transformations-complex data structures that require careful bounds checking during parsing. The vulnerability exists in font parsing paths automatically invoked when applications render text from untrusted font files.

RemediationAI

Upgrade FreeType to versions newer than 2.13.0 immediately-vendor patches available per NVD data and confirmed by multiple distribution advisories at http://www.openwall.com/lists/oss-security/2025/03/13/ series. Debian users should apply updates via standard apt channels referencing https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html. Android users must install May 2025 security patches per https://source.android.com/docs/security/bulletin/2025-05-01. For environments unable to upgrade immediately, implement these compensating controls with noted limitations: (1) Disable processing of untrusted font files in applications-blocks attack vector but breaks functionality requiring external fonts; (2) Deploy application sandboxing and CFI/DEP protections-reduces exploitation success but does not prevent vulnerability; (3) Block network delivery of font files via web content filtering-mitigates remote exploitation but ineffective against local/email vectors; (4) Restrict font installation to administrator-only-limits exposure but UI:N means no user action required for auto-processing applications. No workaround eliminates risk; patching is mandatory given confirmed active exploitation.

Vendor StatusVendor

CVE-2025-27363 vulnerability details – vuln.today

Back

FreeType CVE-2025-27363

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code