CVE-2025-27363

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27363

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27363.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27363

Related

Published

2025-03-11T14:15:25Z

Modified

2025-04-02T22:53:43.285433Z

Summary

[none]

Details

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

References

Affected packages

Debian:11 / freetype

Package

Name: freetype
Purl: pkg:deb/debian/freetype?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.4+dfsg-1+deb11u2

Affected versions

2.*

2.10.4+dfsg-1

2.10.4+dfsg-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / freetype

Package

Name: freetype
Purl: pkg:deb/debian/freetype?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.12.1+dfsg-5+deb12u4

Affected versions

2.*

2.12.1+dfsg-5

2.12.1+dfsg-5+deb12u1

2.12.1+dfsg-5+deb12u2

2.12.1+dfsg-5+deb12u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / freetype

Package

Name: freetype
Purl: pkg:deb/debian/freetype?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.1+dfsg-1

Affected versions

2.*

2.12.1+dfsg-5

2.13.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}