Cyber Resilience

CVE-2025-27363

HighCISA KEVActive ExploitationEUVD Exploited

Published: 11 March 2025

Published
11 March 2025
Modified
20 April 2026
KEV Added
06 May 2025
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7034 98.7th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27363 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Freetype Freetype. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27363 is an out-of-bounds write in FreeType 2.13.0 and earlier that occurs during parsing of font subglyph structures in TrueType GX and variable font files. The vulnerable code path assigns a signed short to an unsigned long, adds a constant, and wraps around to allocate an undersized heap buffer before writing up to six signed long values outside its bounds. The flaw is classified as CWE-787 and carries a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker can trigger the issue by supplying a crafted font file, achieving arbitrary code execution with no user interaction required. The attack complexity is rated high, yet the vulnerability may already have been exploited in the wild.

Public advisories published via Facebook Security and the OpenWall oss-security list confirm that versions newer than 2.13.0 are unaffected and direct users to upgrade. The associated EPSS score rose from low values to a peak of 0.79 before receding to its current level of 0.70, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed…

more

short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

CWE(s)
KEV Date Added
06 May 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The CVE describes an out-of-bounds write vulnerability in FreeType font parsing leading to arbitrary code execution, which directly enables Exploitation for Client Execution (T1203) via malicious font files.

CVEs Like This One

CVE-2025-24201Same product: Debian Debian Linuxboth on KEV
CVE-2025-21042Shared CWE-787both on KEV
CVE-2025-43300Shared CWE-787both on KEV
CVE-2026-25061Same product: Debian Debian Linux
CVE-2025-14174Shared CWE-787both on KEV
CVE-2025-21043Shared CWE-787both on KEV
CVE-2026-3909Shared CWE-787both on KEV
CVE-2025-6558Same product: Debian Debian Linuxboth on KEV
CVE-2026-25506Same product: Debian Debian Linux
CVE-2025-64512Same product: Debian Debian Linux

Affected Assets

freetype
freetype
≤ 2.13.0
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and remediation of flaws like the out-of-bounds write in vulnerable FreeType versions through patching or upgrading.

detect

Requires vulnerability scanning to detect the presence of vulnerable FreeType library versions affected by CVE-2025-27363.

prevent

Implements memory protections like ASLR and non-executable heap that mitigate arbitrary code execution from the heap buffer overflow in FreeType.

References