CVE-2025-27363

EUVD-2025-6367
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
freetypefreetype
𝑥
≤ 2.13.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
freetype2-devel
suse enterprise desktop 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise desktop 15 SP7
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP5
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP7
2.10.4-150000.4.18.1
fixed
suse enterprise server 12 SP5
2.6.3-7.21.1
fixed
suse enterprise server 15 SP2
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP5
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP7
2.10.4-150000.4.18.1
fixed
ft2demos
suse enterprise server 12 SP3
2.6.3-7.21.1
fixed
suse enterprise server 12 SP5
2.6.3-7.21.1
fixed
ftdump
suse enterprise sap 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP5
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP2
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP5
2.10.4-150000.4.18.1
fixed
libfreetype6
suse enterprise desktop 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise desktop 15 SP7
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP5
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP7
2.10.4-150000.4.18.1
fixed
suse enterprise server 12 SP3
2.6.3-7.21.1
fixed
suse enterprise server 12 SP5
2.6.3-7.21.1
fixed
suse enterprise server 15 SP2
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP5
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP7
2.10.4-150000.4.18.1
fixed
libfreetype6-32bit
suse enterprise desktop 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise desktop 15 SP7
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP5
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise sap 15 SP7
2.10.4-150000.4.18.1
fixed
suse enterprise server 12 SP3
2.6.3-7.21.1
fixed
suse enterprise server 12 SP5
2.6.3-7.21.1
fixed
suse enterprise server 15 SP2
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP3
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP4
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP5
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP6
2.10.4-150000.4.18.1
fixed
suse enterprise server 15 SP7
2.10.4-150000.4.18.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
freetype
RHEL 8
0:2.9.1-10.el8_10
fixed
RHEL 8.2 AUS
0:2.9.1-5.el8_2.1
fixed
RHEL 8.4 AUS
0:2.9.1-7.el8_4
fixed
RHEL 8.4 E4S
0:2.9.1-7.el8_4
fixed
RHEL 8.4 TUS
0:2.9.1-7.el8_4
fixed
RHEL 8.6 AUS
0:2.9.1-6.el8_6.3
fixed
RHEL 8.6 E4S
0:2.9.1-6.el8_6.3
fixed
RHEL 8.6 TUS
0:2.9.1-6.el8_6.3
fixed
RHEL 8.8 AUS
0:2.9.1-10.el8_8
fixed
RHEL 8.8 E4S
0:2.9.1-10.el8_8
fixed
RHEL 8.8 EUS
0:2.9.1-10.el8_8
fixed
RHEL 8.8 TUS
0:2.9.1-10.el8_8
fixed
RHEL 9
0:2.10.4-10.el9_5
fixed
freetype-devel
RHEL 8
0:2.9.1-10.el8_10
fixed
RHEL 8.2 AUS
0:2.9.1-5.el8_2.1
fixed
RHEL 8.4 AUS
0:2.9.1-7.el8_4
fixed
RHEL 8.4 E4S
0:2.9.1-7.el8_4
fixed
RHEL 8.4 TUS
0:2.9.1-7.el8_4
fixed
RHEL 8.6 AUS
0:2.9.1-6.el8_6.3
fixed
RHEL 8.6 E4S
0:2.9.1-6.el8_6.3
fixed
RHEL 8.6 TUS
0:2.9.1-6.el8_6.3
fixed
RHEL 8.8 AUS
0:2.9.1-10.el8_8
fixed
RHEL 8.8 E4S
0:2.9.1-10.el8_8
fixed
RHEL 8.8 EUS
0:2.9.1-10.el8_8
fixed
RHEL 8.8 TUS
0:2.9.1-10.el8_8
fixed
RHEL 9
0:2.10.4-10.el9_5
fixed
mingw32-freetype
RHEL 8
0:2.8-3.el8_10.1
fixed
RHEL 8.8 AUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 E4S
0:2.8-3.el8_8.1
fixed
RHEL 8.8 EUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 TUS
0:2.8-3.el8_8.1
fixed
mingw32-freetype-static
RHEL 8
0:2.8-3.el8_10.1
fixed
RHEL 8.8 AUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 E4S
0:2.8-3.el8_8.1
fixed
RHEL 8.8 EUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 TUS
0:2.8-3.el8_8.1
fixed
mingw64-freetype
RHEL 8
0:2.8-3.el8_10.1
fixed
RHEL 8.8 AUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 E4S
0:2.8-3.el8_8.1
fixed
RHEL 8.8 EUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 TUS
0:2.8-3.el8_8.1
fixed
mingw64-freetype-static
RHEL 8
0:2.8-3.el8_10.1
fixed
RHEL 8.8 AUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 E4S
0:2.8-3.el8_8.1
fixed
RHEL 8.8 EUS
0:2.8-3.el8_8.1
fixed
RHEL 8.8 TUS
0:2.8-3.el8_8.1
fixed
spice-client-win-x64
RHEL 8
0:8.10-1.el8_10
fixed
RHEL 8.2 AUS
0:8.2-1.el8_2
fixed
RHEL 8.4 AUS
0:8.4-2.el8_4
fixed
RHEL 8.4 E4S
0:8.4-2.el8_4
fixed
RHEL 8.4 TUS
0:8.4-2.el8_4
fixed
RHEL 8.6 AUS
0:8.6-1.el8_6
fixed
RHEL 8.6 E4S
0:8.6-1.el8_6
fixed
RHEL 8.6 TUS
0:8.6-1.el8_6
fixed
RHEL 8.8 AUS
0:8.8-5.el8_8
fixed
RHEL 8.8 E4S
0:8.8-5.el8_8
fixed
RHEL 8.8 EUS
0:8.8-5.el8_8
fixed
RHEL 8.8 TUS
0:8.8-5.el8_8
fixed
spice-client-win-x86
RHEL 8
0:8.10-1.el8_10
fixed
RHEL 8.2 AUS
0:8.2-1.el8_2
fixed
RHEL 8.4 AUS
0:8.4-2.el8_4
fixed
RHEL 8.4 E4S
0:8.4-2.el8_4
fixed
RHEL 8.4 TUS
0:8.4-2.el8_4
fixed
RHEL 8.6 AUS
0:8.6-1.el8_6
fixed
RHEL 8.6 E4S
0:8.6-1.el8_6
fixed
RHEL 8.6 TUS
0:8.6-1.el8_6
fixed
RHEL 8.8 AUS
0:8.8-5.el8_8
fixed
RHEL 8.8 E4S
0:8.8-5.el8_8
fixed
RHEL 8.8 EUS
0:8.8-5.el8_8
fixed
RHEL 8.8 TUS
0:8.8-5.el8_8
fixed
Common Weakness Enumeration
References
https://www.facebook.com/security/advisories/cve-2025-27363
http://www.openwall.com/lists/oss-security/2025/03/13/1
http://www.openwall.com/lists/oss-security/2025/03/13/11
http://www.openwall.com/lists/oss-security/2025/03/13/12
http://www.openwall.com/lists/oss-security/2025/03/13/2
http://www.openwall.com/lists/oss-security/2025/03/13/3
http://www.openwall.com/lists/oss-security/2025/03/13/8
http://www.openwall.com/lists/oss-security/2025/03/14/1
http://www.openwall.com/lists/oss-security/2025/03/14/2
http://www.openwall.com/lists/oss-security/2025/03/14/3
http://www.openwall.com/lists/oss-security/2025/03/14/4
http://www.openwall.com/lists/oss-security/2025/05/06/3
http://www.openwall.com/lists/oss-security/2026/04/16/5
http://www.openwall.com/lists/oss-security/2026/04/19/3
https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
https://source.android.com/docs/security/bulletin/2025-05-01
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363