CVE-2025-27363

Published Mar 11, 2025

Last updated 8 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-27363 is a vulnerability found in FreeType versions 2.13.0 and below. It occurs when parsing font subglyph structures related to TrueType GX and variable font files. The issue stems from assigning a signed short value to an unsigned long, followed by adding a static value. This causes a wrap-around, resulting in a heap buffer that is too small being allocated. The vulnerability allows writing up to 6 signed long integers out of bounds relative to the undersized buffer. This out-of-bounds write can potentially lead to arbitrary code execution. It has been reported that this vulnerability may have been exploited in the wild.

Description
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
Source
cve-assign@fb.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
FreeType Out-of-Bounds Write Vulnerability
Exploit added on
May 6, 2025
Exploit action due
May 27, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-787

Social media

Hype score
Not currently trending
  1. Última atualização de segurança, foi em Fevereiro deste ano. Uma falha foi encontrada e apontada em março. @MotorolaBR 😕 * CVE-2025-27363 https://t.co/cYRnXj3ZjS

    @jeiel_0rbit

    12 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    12 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. CVE-2025-27363: A zero-click RCE in FreeType exploited in the wild. Impacts Android, Linux, and major browsers. Discovered by Meta, patched by Google in May 2025. Update FreeType to v2.13.1+ immediately. #CVE202527363 #Android #FreeType #RCE #CyberSecurity https://t.co/2CqMiN1bUf

    @stephan_fr9324

    12 May 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    11 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. #Android users: #Google just patched a serious zero-day (CVE-2025-27363) being actively exploited. Update your phone *immediately*. The bug lives in the FreeType library. https://t.co/5QgqlQYoZQ #zeroday

    @top10vpn

    11 May 2025

    131 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    10 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. به تازگی گوگل برای ۵۷ آسیب پذیری که مهمترین آنها ، آسیب پذیری از نوع RCE با کد شناسایی CVE-2025-27363 می باشد ، پچ و به روز رسانی لازم را منتشر نموده است. گوشی های ان

    @AmirHossein_sec

    10 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 👩🏻‍💻CVE-2025-27363 – Android System Component Exploit Severity: High (CVSS 8.1) A flaw in Android’s System component enables local code execution without needing additional privileges. Google reported targeted exploitation of this vulnerability. Reference: https:

    @miss_redhat

    10 May 2025

    22 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    10 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. گوگل به‌روزرسانی امنیتی ماه می را برای اندروید منتشر کرده که شامل رفع ۴۶ آسیب‌پذیری امنیتی است. یکی از این آسیب‌پذیری‌ها با شناسه CVE-2025-27363 (با امتیاز CVSS

    @cybernetic_cy

    10 May 2025

    151 Impressions

    2 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 Společnost Google vydala začátkem května update systému Android, který opravuje řadu zranitelností včetně vážného Zero-day CVE-2025-27363. Chyba v renderovacím enginu FreeType spočívala v out-of-bounds write a mohla vést k arbitrary code execution. Druhá p

    @AlefSecurity

    9 May 2025

    79 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    9 May 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  13. 開源字型引擎FreeType在今年3月被Facebook安全團隊披露有重大漏洞CVE-2025-27363,並表示可能被利用,如今Google在5月Andorid例行更新修補這項漏洞,指出已有駭客利用此漏洞於攻擊行動的跡象, 額外一提的是,3月底Red H

    @cheng527

    9 May 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    8 May 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  15. Google has released the May 2025 security updates for Android with fixes for 45 security flaws. Fixes include actively exploited zero-click FreeType 2 code execution vulnerability tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug https://t.co/ujMQv6jVGl h

    @riskigy

    8 May 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. ⚠️Múltiples vulnerabilidades en los productos Samsung ❗CVE-2025-27363 ❗CVE-2025-20957 ❗CVE-2025-20963 ➡️Más info: https://t.co/dTeyFqc44S https://t.co/I6LfGMUYd9

    @CERTpy

    8 May 2025

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. أطلقت جوجل تحديث أمان جديد لأندرويد، يعالج 46 ثغرة أمنية، بما في ذلك ثغرة حرجة تم استغلالها فعليًا (CVE-2025-27363)⚠️!! ينصح بتحديث أجهزتكم فورًا لضمان الأمان. ه

    @almutamayiz99_

    8 May 2025

    408 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 📢Google ออกอัปเดตแก้ไขช่องโหว่ CVE-2025-27363 บน Android หลังพบการโจมตี#ThaiCERT #NCSA #CybersecurityNew สามารถติดตามข่าวสารได้ที่ https://t.co/HCsLrrY

    @ThaiCERTByNCSA

    8 May 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Out of bounds write vulnerability in FreeType versions 2.13.0 and below (CVE-2025-27363) #CVE202527363 #CyberSecurity #FreeType #OutofBoundsWriteVulnerability https://t.co/1whSMRDlxG https://t.co/t8sTC5U8qD

    @SystemTek_UK

    8 May 2025

    40 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  20. #threatreport #LowCompleteness Androids May 2025 Update Tackles CVE-2025-27363 & More Langflow & MagicINFO Exploited, Kibana at Risk | 07-05-2025 Source: https://t.co/TvKLF2hmm7 Key details below ↓ 💀Threats: Mirai, 🎯Victims: Android, Langflow, Samsung magicinfo,

    @rst_cloud

    8 May 2025

    61 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    8 May 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. Androidの定例アップデートでFreeTypeのゼロデイ脆弱性(CVE-2025-27363)が修正 #セキュリティ対策Lab #セキュリティ #Security https://t.co/aIzkUWMa8D

    @securityLab_jp

    7 May 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. #TusksUp 🧵1/ URGENT: Android Zero-Day Exploited in the Wild Google just patched CVE-2025-27363 — a critical Android System flaw that's already being used by attackers. If you’re using an Android device, read this now. 👇

    @byte_lock

    7 May 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  24. 🔐 Android Users: Critical Security Update Released Google has rolled out the May 2025 Android security update, addressing 47 vulnerabilities, including an actively exploited zero-day flaw (CVE-2025-27363). This update is crucial for protecting your device against potential ht

    @Synergycorpp

    7 May 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨 One malicious font file could compromise your entire device and you’d never know Google just patched CVE-2025-27363 in its May 2025 Android security update. It’s a critical vulnerability already being exploited in the wild. https://t.co/mJfJQ7H5t8

    @efani

    7 May 2025

    316 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  26. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    7 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. Google's May 2025 Android Security Bulletin patches 46 vulnerabilities, including the active exploit CVE-2025-27363, a local code execution flaw. Timely updates are crucial for device security. 🔒 #Android #SecurityUpdate #USA https://t.co/6s4tw6tI6N

    @TweetThreatNews

    7 May 2025

    83 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Actively exploited #FreeType flaw fixed in #Android (#CVE-2025-27363) https://t.co/GxDrbyrbq9

    @ScyScan

    7 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. グーグル、アンドロイドで積極的に悪用されていたFreeTypeの欠陥を修正(CVE-2025-27363) https://t.co/rHkRyGTKHU #Security #セキュリティ #ニュース

    @SecureShield_

    7 May 2025

    33 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-27363 #FreeType Out-of-Bounds Write Vulnerability https://t.co/0l3MQxdjQn

    @ScyScan

    6 May 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. 🚨 Android Alert! Google patches CVE-2025-27363, a critical FreeType vulnerability actively exploited in the wild. 🔧 Found by Facebook 📱 Affects millions of Android devices ⚠️ Update to May 2025 patch now! 🔗https://t.co/hzla5CXtGV #Android #CVE202527363 #CyberSecur

    @cybrhoodsentinl

    6 May 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. 🚨 ¡Actualiza tu Android YA! 🚨 Google corrige la vulnerabilidad CVE-2025-27363, explotada activamente, que permite ejecutar código sin interacción. 📱 Afecta FreeType en Android 13-15. Instala el parche de mayo 2025 (nivel 2025-05-05) para protegerte. #AndroidSecurity h

    @GeosbanysC

    6 May 2025

    30 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. 🛡️ We added a FreeType out-of-bounds write vulnerability CVE-2025-27363 to our Known Exploited Vulnerabilities Catalog. Visit Redirect to https://t.co/bJOgGeWmb8 & apply mitigations to protect your org from cyberattacks. https://t.co/2nABOzt2eB

    @CISACyber

    6 May 2025

    5011 Impressions

    15 Retweets

    25 Likes

    1 Bookmark

    0 Replies

    2 Quotes

  34. SunsetHost Hacker News Report: Google Addresses Critical Android Vulnerability CVE-2025-27363 in May 2025 Security Update https://t.co/FDqXtU2Nrb https://t.co/mj3RFfmlvw

    @DonELichterman

    6 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. 🚨 Google just fixed a major Android flaw! CVE-2025-27363 lets hackers run code without your action. 📲 Update your Android now! #CyberSecurity #HoplonInfosec #AndroidSecurity #Google #CVE202527363 #Android https://t.co/1LUshMXgyQ

    @HoplonInfosec

    6 May 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🚨 Android Flaw Exploited in the Wild - Google Urges Users to Update ASAP Google just released its May 2025 Android security update, patching 46 vulnerabilities - including one that’s already being actively exploited. 📌 The critical flaw: - CVE-2025-27363 (CVSS 8.1) - F

    @efani

    6 May 2025

    287 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  37. Update ASAP: Google Fixes Android #flaw (#CVE-2025-27363) Exploited by Attackers https://t.co/tZOpn8MXDu

    @AdliceSoftware

    6 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Update ASAP: Google fixes Android flaw (CVE-2025-27363) exploited by attackers https://t.co/liH7ZqIf3r

    @sabatage

    6 May 2025

    278 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  39. 🚨 Google corrige vulnerabilidad crítica en #Android (CVE-2025-27363) 🚨 La falla, ya explotada activamente, permite ejecución de código sin privilegios adicionales ni interacción del usuario. 📲 Actualizá tu dispositivo ya para protegerte. 🔗 https://t.co/St9Whmv

    @ojo_cibernetico

    6 May 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. ⚠️Actualizaciones de seguridad mensuales para Android ❗CVE-2025-27363 ➡️Más info: https://t.co/YjS8fvFyDC https://t.co/8zw699BMsF

    @CERTpy

    6 May 2025

    114 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. ثغرة خطيرة تستهدف اجهزة اندرويد ثغرة CVE-2025-27363 : ثغرة في مكونات النظام تقود الى تنفيذ الكود البرمجي محليًا دون الحاجة إلى امتيازات تنفيذ إضافية او تدخل ال

    @mr_thamer

    6 May 2025

    2201 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. [Critical vulnerability CVE-2025-27363 in Android is actively exploited] Google has released a security update for Android, eliminating 46 vulnerabilities, including CVE-2025-27363, a critical bug in the System component that allows local code execution without additional https:

    @NGT_Cybercrime

    6 May 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. 📱 Google Fixes Android Zero-Day Exploited in the Wild One of 46 flaws patched in May, CVE-2025-27363 lets hackers run code on your device—no clicks needed. Update now. https://t.co/BHhNo80Yl8 #Android #ZeroDay https://t.co/ex1E5QYatf

    @dCypherIO

    6 May 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. Actively exploited CVE : CVE-2025-27363

    @transilienceai

    6 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  45. Google fixed actively exploited Android flaw CVE-2025-27363 https://t.co/sSefruFSNN

    @Dinosn

    6 May 2025

    2009 Impressions

    4 Retweets

    9 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  46. 📱 Google patches a critical Android zero-day (CVE-2025-27363) in May’s update—an exploit in FreeType used in the wild since March. Update ASAP! #AndroidSecurity #ZeroDay #Google #CyberSecurity #TechNews https://t.co/yryeBpaGBl

    @geniuspulse360

    6 May 2025

    53 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Google fixed actively exploited Android flaw CVE-2025-27363 https://t.co/bhxsvmQjFf #TechNews #CyberSecurity #ThreatIntel

    @EnRouteIT

    6 May 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. 📢 NEWS: @Google rolled out a new security update for Android devices on Monday, which patched around 50 vulnerabilities, including the exploited CVE-2025-27363 piece of code. https://t.co/gRsDSBJiHX

    @hack_snacks

    6 May 2025

    28 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Android Update Patches Actively Exploited Vulnerability Google's latest Android security update addresses 46 flaws, including a critical zero-click vulnerability (CVE-2025-27363) being actively exploited. https://t.co/meAAhkH269

    @the_yellow_fall

    6 May 2025

    455 Impressions

    4 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  50. My #tuesdayvibe for t'internet defenders. By me @Forbes: what you need to know about CVE-2025-27363. #infosec https://t.co/OU7xyxPZIR

    @happygeek

    6 May 2025

    161 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations