CVE-2025-27363

HIGH KEV

FreeType < 2.13.0 - Out-of-bounds Write in TrueType GX Subglyph Parsing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-27363 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 6, 2025. EIP tracks 3 public exploits from researchers including zhuowei, tin-z, ov3rf1ow.

AI-analyzed exploit summary This PoC demonstrates a heap buffer overflow in FreeType 2.13.0 by modifying the Roboto Flex font to include a composite glyph with an excessive number of subglyphs (0xfffd), triggering a crash during rendering.

Description

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Exploits (3)

nomisec WORKING POC 36 stars
by zhuowei · client-side
https://github.com/zhuowei/CVE-2025-27363-proof-of-concept

This PoC demonstrates a heap buffer overflow in FreeType 2.13.0 by modifying the Roboto Flex font to include a composite glyph with an excessive number of subglyphs (0xfffd), triggering a crash during rendering.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: FreeType 2.13.0
No auth needed
Prerequisites: FreeType 2.13.0 installation · Roboto Flex font · fonttools and p7zip utilities
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 23 stars
by tin-z · client-side
https://github.com/tin-z/CVE-2025-27363

This repository contains a proof-of-concept exploit for CVE-2025-27363, targeting a font-related vulnerability. The exploit includes scripts for generating malicious font files and achieving remote code execution (RCE) via crafted glyphs.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (font-related software, likely a browser or font rendering engine)
No auth needed
Prerequisites: Ability to deliver a malicious font file to the target system · Target software must process the font file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Third Party Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2025-27363

Scores

CVSS v3 8.1
EPSS 0.7034
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-05-06
VulnCheck KEV 2025-03-11
ENISA EUVD EUVD-2025-6367
CWE
CWE-787
Status published
Products (3)
debian/debian_linux 11.0
freetype/freetype < 2.13.0
FreeType/FreeType 0.0.0 - 2.13.0
Published Mar 11, 2025
KEV Added May 06, 2025
Tracked Since Feb 18, 2026