AI description
CVE-2025-27363 is a vulnerability found in FreeType versions 2.13.0 and below. It occurs when parsing font subglyph structures related to TrueType GX and variable font files. The issue stems from assigning a signed short value to an unsigned long, followed by adding a static value. This causes a wrap-around, resulting in a heap buffer that is too small being allocated. The vulnerability allows writing up to 6 signed long integers out of bounds relative to the undersized buffer. This out-of-bounds write can potentially lead to arbitrary code execution. It has been reported that this vulnerability may have been exploited in the wild.
- Description
- An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
- Source
- cve-assign@fb.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- FreeType Out-of-Bounds Write Vulnerability
- Exploit added on
- May 6, 2025
- Exploit action due
- May 27, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-787
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
5
Google has released the May 2025 security updates for Android with fixes for 45 security flaws. Fixes include actively exploited zero-click FreeType 2 code execution vulnerability tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug https://t.co/ujMQv6jVGl h
@riskigy
8 May 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
أطلقت جوجل تحديث أمان جديد لأندرويد، يعالج 46 ثغرة أمنية، بما في ذلك ثغرة حرجة تم استغلالها فعليًا (CVE-2025-27363)⚠️!! ينصح بتحديث أجهزتكم فورًا لضمان الأمان. ه
@almutamayiz99_
8 May 2025
359 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📢Google ออกอัปเดตแก้ไขช่องโหว่ CVE-2025-27363 บน Android หลังพบการโจมตี#ThaiCERT #NCSA #CybersecurityNew สามารถติดตามข่าวสารได้ที่ https://t.co/HCsLrrY
@ThaiCERTByNCSA
8 May 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Out of bounds write vulnerability in FreeType versions 2.13.0 and below (CVE-2025-27363) #CVE202527363 #CyberSecurity #FreeType #OutofBoundsWriteVulnerability https://t.co/1whSMRDlxG https://t.co/t8sTC5U8qD
@SystemTek_UK
8 May 2025
37 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#threatreport #LowCompleteness Androids May 2025 Update Tackles CVE-2025-27363 & More Langflow & MagicINFO Exploited, Kibana at Risk | 07-05-2025 Source: https://t.co/TvKLF2hmm7 Key details below ↓ 💀Threats: Mirai, 🎯Victims: Android, Langflow, Samsung magicinfo,
@rst_cloud
8 May 2025
60 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
8 May 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Androidの定例アップデートでFreeTypeのゼロデイ脆弱性(CVE-2025-27363)が修正 #セキュリティ対策Lab #セキュリティ #Security https://t.co/aIzkUWMa8D
@securityLab_jp
7 May 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#TusksUp 🧵1/ URGENT: Android Zero-Day Exploited in the Wild Google just patched CVE-2025-27363 — a critical Android System flaw that's already being used by attackers. If you’re using an Android device, read this now. 👇
@byte_lock
7 May 2025
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🔐 Android Users: Critical Security Update Released Google has rolled out the May 2025 Android security update, addressing 47 vulnerabilities, including an actively exploited zero-day flaw (CVE-2025-27363). This update is crucial for protecting your device against potential ht
@Synergycorpp
7 May 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 One malicious font file could compromise your entire device and you’d never know Google just patched CVE-2025-27363 in its May 2025 Android security update. It’s a critical vulnerability already being exploited in the wild. https://t.co/mJfJQ7H5t8
@efani
7 May 2025
316 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
7 May 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Google's May 2025 Android Security Bulletin patches 46 vulnerabilities, including the active exploit CVE-2025-27363, a local code execution flaw. Timely updates are crucial for device security. 🔒 #Android #SecurityUpdate #USA https://t.co/6s4tw6tI6N
@TweetThreatNews
7 May 2025
83 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited #FreeType flaw fixed in #Android (#CVE-2025-27363) https://t.co/GxDrbyrbq9
@ScyScan
7 May 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
グーグル、アンドロイドで積極的に悪用されていたFreeTypeの欠陥を修正(CVE-2025-27363) https://t.co/rHkRyGTKHU #Security #セキュリティ #ニュース
@SecureShield_
7 May 2025
33 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-27363 #FreeType Out-of-Bounds Write Vulnerability https://t.co/0l3MQxdjQn
@ScyScan
6 May 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Android Alert! Google patches CVE-2025-27363, a critical FreeType vulnerability actively exploited in the wild. 🔧 Found by Facebook 📱 Affects millions of Android devices ⚠️ Update to May 2025 patch now! 🔗https://t.co/hzla5CXtGV #Android #CVE202527363 #CyberSecur
@cybrhoodsentinl
6 May 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 ¡Actualiza tu Android YA! 🚨 Google corrige la vulnerabilidad CVE-2025-27363, explotada activamente, que permite ejecutar código sin interacción. 📱 Afecta FreeType en Android 13-15. Instala el parche de mayo 2025 (nivel 2025-05-05) para protegerte. #AndroidSecurity h
@GeosbanysC
6 May 2025
30 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️ We added a FreeType out-of-bounds write vulnerability CVE-2025-27363 to our Known Exploited Vulnerabilities Catalog. Visit Redirect to https://t.co/bJOgGeWmb8 & apply mitigations to protect your org from cyberattacks. https://t.co/2nABOzt2eB
@CISACyber
6 May 2025
5011 Impressions
15 Retweets
25 Likes
1 Bookmark
0 Replies
2 Quotes
SunsetHost Hacker News Report: Google Addresses Critical Android Vulnerability CVE-2025-27363 in May 2025 Security Update https://t.co/FDqXtU2Nrb https://t.co/mj3RFfmlvw
@DonELichterman
6 May 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Google just fixed a major Android flaw! CVE-2025-27363 lets hackers run code without your action. 📲 Update your Android now! #CyberSecurity #HoplonInfosec #AndroidSecurity #Google #CVE202527363 #Android https://t.co/1LUshMXgyQ
@HoplonInfosec
6 May 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Android Flaw Exploited in the Wild - Google Urges Users to Update ASAP Google just released its May 2025 Android security update, patching 46 vulnerabilities - including one that’s already being actively exploited. 📌 The critical flaw: - CVE-2025-27363 (CVSS 8.1) - F
@efani
6 May 2025
287 Impressions
1 Retweet
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Update ASAP: Google Fixes Android #flaw (#CVE-2025-27363) Exploited by Attackers https://t.co/tZOpn8MXDu
@AdliceSoftware
6 May 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Update ASAP: Google fixes Android flaw (CVE-2025-27363) exploited by attackers https://t.co/liH7ZqIf3r
@sabatage
6 May 2025
278 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
🚨 Google corrige vulnerabilidad crítica en #Android (CVE-2025-27363) 🚨 La falla, ya explotada activamente, permite ejecución de código sin privilegios adicionales ni interacción del usuario. 📲 Actualizá tu dispositivo ya para protegerte. 🔗 https://t.co/St9Whmv
@ojo_cibernetico
6 May 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️Actualizaciones de seguridad mensuales para Android ❗CVE-2025-27363 ➡️Más info: https://t.co/YjS8fvFyDC https://t.co/8zw699BMsF
@CERTpy
6 May 2025
114 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ثغرة خطيرة تستهدف اجهزة اندرويد ثغرة CVE-2025-27363 : ثغرة في مكونات النظام تقود الى تنفيذ الكود البرمجي محليًا دون الحاجة إلى امتيازات تنفيذ إضافية او تدخل ال
@mr_thamer
6 May 2025
2201 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
[Critical vulnerability CVE-2025-27363 in Android is actively exploited] Google has released a security update for Android, eliminating 46 vulnerabilities, including CVE-2025-27363, a critical bug in the System component that allows local code execution without additional https:
@NGT_Cybercrime
6 May 2025
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📱 Google Fixes Android Zero-Day Exploited in the Wild One of 46 flaws patched in May, CVE-2025-27363 lets hackers run code on your device—no clicks needed. Update now. https://t.co/BHhNo80Yl8 #Android #ZeroDay https://t.co/ex1E5QYatf
@dCypherIO
6 May 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
6 May 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Google fixed actively exploited Android flaw CVE-2025-27363 https://t.co/sSefruFSNN
@Dinosn
6 May 2025
2009 Impressions
4 Retweets
9 Likes
4 Bookmarks
0 Replies
0 Quotes
📱 Google patches a critical Android zero-day (CVE-2025-27363) in May’s update—an exploit in FreeType used in the wild since March. Update ASAP! #AndroidSecurity #ZeroDay #Google #CyberSecurity #TechNews https://t.co/yryeBpaGBl
@geniuspulse360
6 May 2025
53 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Google fixed actively exploited Android flaw CVE-2025-27363 https://t.co/bhxsvmQjFf #TechNews #CyberSecurity #ThreatIntel
@EnRouteIT
6 May 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📢 NEWS: @Google rolled out a new security update for Android devices on Monday, which patched around 50 vulnerabilities, including the exploited CVE-2025-27363 piece of code. https://t.co/gRsDSBJiHX
@hack_snacks
6 May 2025
28 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Android Update Patches Actively Exploited Vulnerability Google's latest Android security update addresses 46 flaws, including a critical zero-click vulnerability (CVE-2025-27363) being actively exploited. https://t.co/meAAhkH269
@the_yellow_fall
6 May 2025
455 Impressions
4 Retweets
4 Likes
1 Bookmark
0 Replies
0 Quotes
My #tuesdayvibe for t'internet defenders. By me @Forbes: what you need to know about CVE-2025-27363. #infosec https://t.co/OU7xyxPZIR
@happygeek
6 May 2025
161 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers https://t.co/A7Otjg3A6Z https://t.co/Xugzi2B0L9
@talentxfactor
6 May 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers #attack #cyber #security #safey #news https://t.co/QkCo2d1aCX
@AuraproR5678
6 May 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📌 قامت جوجل بإصدار تحديثات أمان شهر مايو 2025 لنظام أندرويد، موفرةً إصلاحات لـ 46 ثغرة أمنية، من بينها ثغرة CVE-2025-27363 ذات الخطورة العالية، والتي تم استغلالها
@Cybercachear
6 May 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Exploited in the wild. No user click needed. Google patches 46 Android flaws, including CVE-2025-27363—a critical System bug tied to the FreeType font engine. Discovered by Meta in March, it's now confirmed active. 🔗 Learn more: https://t.co/re3l5kjmMH
@TheHackersNews
6 May 2025
15375 Impressions
57 Retweets
130 Likes
18 Bookmarks
0 Replies
5 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
5 May 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Meta Warns of FreeType Vulnerability (CVE-2025-27363) With Active Exploitation Risk #CISO https://t.co/oedHdaxhtF https://t.co/Rwzmj5PYg7
@compuchris
6 Apr 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Warning: A critical vulnerability in the FreeType library (CVE-2025-27363) is being exploited in the wild, allowing arbitrary code execution. Update to FreeType 2.13.3 ASAP to protect your systems #CyberSecurity
@deadlockfinger
4 Apr 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
2 Apr 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Lambda Watchdog detected a new HIGH severity CVE 🚨 CVE-2025-27363 was detected in the latest AWS Lambda image scan affecting the freetype package in 9 images. Check the full report 👉 https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
2 Apr 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
1 Apr 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
31 Mar 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Flashpointの脆弱性ウィークリーレポート:CVE-2025-24201、CVE-2025-27363他 | Codebook https://t.co/1e01UGJq04 #izumino_trend
@sec_trend
24 Mar 2025
60 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Frissíts, ha tudsz: aktívan kihasználják a FreeType sérülékenységét A FreeType nyílt forráskódú betűkészlet-megjelenítő könyvtárban egy kritikus biztonsági sérülékenységet fedeztek fel, amely távoli kódfuttatást tehet lehetővé. A CVE-2025-27363 azonosítón nyomon követett sérül…
@linuxmint_hun
24 Mar 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-27363
@transilienceai
23 Mar 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨#CVE Updates from JFrog's #Security Research Team: Last week the Meta team released an arbitrary code execution vulnerability with a CVSS score of 8.1 targeting the FreeType font rendering library, CVE-2025-27363. According to the advisory, it may have already been exploited
@jfrog
21 Mar 2025
211 Impressions
2 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "47088474-E5B5-4220-8F12-D664F2DED5C1",
"versionEndIncluding": "2.13.0"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"
}
],
"operator": "OR"
}
]
}
]