CVE-2025-27363
Published: 11 March 2025
Summary
CVE-2025-27363 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Freetype Freetype. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-27363 is an out-of-bounds write in FreeType 2.13.0 and earlier that occurs during parsing of font subglyph structures in TrueType GX and variable font files. The vulnerable code path assigns a signed short to an unsigned long, adds a constant, and wraps around to allocate an undersized heap buffer before writing up to six signed long values outside its bounds. The flaw is classified as CWE-787 and carries a CVSS 3.1 score of 8.1.
An unauthenticated remote attacker can trigger the issue by supplying a crafted font file, achieving arbitrary code execution with no user interaction required. The attack complexity is rated high, yet the vulnerability may already have been exploited in the wild.
Public advisories published via Facebook Security and the OpenWall oss-security list confirm that versions newer than 2.13.0 are unaffected and direct users to upgrade. The associated EPSS score rose from low values to a peak of 0.79 before receding to its current level of 0.70, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6367
Vulnerability details
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed…
more
short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
- CWE(s)
- KEV Date Added
- 06 May 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an out-of-bounds write vulnerability in FreeType font parsing leading to arbitrary code execution, which directly enables Exploitation for Client Execution (T1203) via malicious font files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and remediation of flaws like the out-of-bounds write in vulnerable FreeType versions through patching or upgrading.
Requires vulnerability scanning to detect the presence of vulnerable FreeType library versions affected by CVE-2025-27363.
Implements memory protections like ASLR and non-executable heap that mitigate arbitrary code execution from the heap buffer overflow in FreeType.