← Zuruck zu CVEs
CVE-2025-27363
HIGHCISA KEV8.1
Beschreibung
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
CVE Details
CVSS v3.1 Bewertung8.1
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatHIGH
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht3/11/2025
Zuletzt geandert4/20/2026
Quellekev
Honeypot-Sichtungen0
CISA KEV
HerstellerFreeType
ProduktFreeType
SchwachstellennameFreeType Out-of-Bounds Write Vulnerability
KEV Aufnahmedatum2025-05-06
Behebungsfrist2025-05-27
Ransomware-NutzungUnknown
Betroffene Produkte
debian:debian_linuxfreetype:freetype
Schwachen (CWE)
CWE-787
Referenzen
https://www.facebook.com/security/advisories/cve-2025-27363(cve-assign@fb.com)
http://www.openwall.com/lists/oss-security/2025/03/13/1(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/13/11(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/13/12(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/13/2(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/13/3(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/13/8(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/14/1(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/14/2(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/14/3(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/03/14/4(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/05/06/3(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2026/04/16/5(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2026/04/19/3(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html(af854a3a-2127-422b-91ae-364da2661108)
https://source.android.com/docs/security/bulletin/2025-05-01(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.