CVE-2025-27363

NameCVE-2025-27363
DescriptionAn out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4104-1, DSA-5880-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freetype (PTS)bullseye2.10.4+dfsg-1+deb11u1vulnerable
bullseye (security)2.10.4+dfsg-1+deb11u2fixed
bookworm2.12.1+dfsg-5+deb12u3vulnerable
bookworm (security)2.12.1+dfsg-5+deb12u4fixed
sid, trixie2.13.3+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freetypesourcebullseye2.10.4+dfsg-1+deb11u2DLA-4104-1
freetypesourcebookworm2.12.1+dfsg-5+deb12u4DSA-5880-1
freetypesource(unstable)2.13.1+dfsg-1

Notes

https://www.facebook.com/security/advisories/cve-2025-27363
https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
Requisite (macro fixup for FT_Q(RE)NEW_ARRAY): https://gitlab.freedesktop.org/freetype/freetype/-/commit/c71eb22dde1a3101891a865fdac20a6de814267d (VER-2-11-1)
Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d (VER-2-13-1)
Followup: https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442 (VER-2-13-3)

Search for package or bug name: Reporting problems