A critical vulnerability in FreeType, tracked as CVE-2025-27363, has been actively exploited in the wild, prompting urgent patching efforts. This flaw, which affects FreeType versions 2.13.0 and below, has been assigned a CVSS score of 8.1, indicating its high severity. The vulnerability arises from an out-of-bounds write issue when parsing font subglyph structures related to TrueType GX and variable font files. Specifically, the bug occurs due to improper handling of a signed short value being assigned to an unsigned long, leading to potential memory corruption.
The exploitation of this vulnerability has been swift, with attackers leveraging it within 55 days of its disclosure on March 11, 2025. The vulnerability's exploitation potential is underscored by its inclusion in the Known Exploited Vulnerabilities (KEV) catalog on May 6, 2025, and its Exploit Prediction Scoring System (EPSS) score of 0.687, which highlights the likelihood of exploitation.
Google has responded by releasing a patch for Android devices, which are among the affected platforms due to their use of FreeType for font rendering. The urgency of this update is underscored by the availability of at least three proof-of-concept exploits, which could facilitate further attacks if systems remain unpatched.
The vulnerability's impact is significant, as FreeType is widely used in various operating systems and applications for rendering fonts. This broad usage increases the potential attack surface, making it imperative for organizations to apply the available patches promptly. The Software Security Vulnerability Classification (SSVC) has categorized this vulnerability as "attend," indicating that immediate action is required to mitigate the risk.
Security teams should prioritize updating FreeType to the latest version to protect against potential exploitation. Additionally, they should monitor their systems for any signs of compromise, particularly focusing on unusual activities related to font rendering processes. Given the active exploitation and the availability of PoC exploits, delaying the patch could expose systems to significant risk.
CSURFACE