CVE-2025-27363

CVSS 8.1 HIGHEPSS 23.4%● KEVCWE-787

In short

FreeType font rendering library has a memory overflow bug when processing certain variable fonts. An attacker can craft a malicious font file that, when opened, writes data beyond allocated memory boundaries and potentially runs malicious code.

Technical detail

Out-of-bounds write in FreeType ≤2.13.0 during TrueType GX/variable font subglyph parsing due to signed-to-unsigned conversion and integer wrap-around in heap buffer allocation. Attack vector: processing untrusted font files; impact: arbitrary code execution with application privileges.

Summary generated and translated by AI from the official description.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Affected products

FreeType · FreeType

public PoCs found — 3

githubgithub.com/zhuowei/CVE-2025-27363-proof-of-concept★ 38 githubgithub.com/tin-z/CVE-2025-27363★ 31 githubgithub.com/ov3rf1ow/CVE-2025-27363★ 3

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References