{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27363", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "state": "PUBLISHED", "assignerShortName": "facebook", "dateReserved": "2025-02-21T19:53:14.160Z", "datePublished": "2025-03-11T13:28:31.705Z", "dateUpdated": "2025-04-02T22:03:19.128Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "FreeType", "vendor": "FreeType", "versions": [{"lessThanOrEqual": "2.13.0", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "dateAssigned": "2025-02-21T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild."}], "problemTypes": [{"descriptions": [{"description": "Out-of-bounds Write (CWE-787)", "lang": "en"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2025-03-13T12:54:55.748Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.facebook.com/security/advisories/cve-2025-27363"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-11T13:40:54.939309Z", "id": "CVE-2025-27363", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T13:42:09.970Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/13/1"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/2"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/3"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/8"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/11"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/12"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/1"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/2"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/3"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/4"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-02T22:03:19.128Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/13/1"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/2"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/3"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/8"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/11"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/13/12"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/1"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/2"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/3"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/14/4"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-02T22:03:19.128Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27363", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-11T13:40:54.939309Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T13:42:02.320Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "FreeType", "product": "FreeType", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.13.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.facebook.com/security/advisories/cve-2025-27363", "tags": ["x_refsource_CONFIRM"]}], "dateAssigned": "2025-02-21T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out-of-bounds Write (CWE-787)"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2025-03-13T12:54:55.748Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27363", "state": "PUBLISHED", "dateUpdated": "2025-04-02T22:03:19.128Z", "dateReserved": "2025-02-21T19:53:14.160Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2025-03-11T13:28:31.705Z", "assignerShortName": "facebook"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild."}, {"lang": "es", "value": "Existe una escritura fuera de los l\u00edmites en las versiones 2.13.0 y anteriores de FreeType al intentar analizar estructuras de subglifos de fuentes relacionadas con archivos de fuentes TrueType GX y variables. El c\u00f3digo vulnerable asigna un valor short con signo a un long sin signo y luego a\u00f1ade un valor est\u00e1tico, lo que provoca un bucle y asigna un b\u00fafer de mont\u00f3n demasiado peque\u00f1o. El c\u00f3digo escribe entonces hasta 6 enteros long con signo fuera de los l\u00edmites en relaci\u00f3n con este b\u00fafer. Esto puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Esta vulnerabilidad podr\u00eda haber sido explotada in situ."}], "id": "CVE-2025-27363", "lastModified": "2025-04-02T22:15:18.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "cve-assign@fb.com", "type": "Secondary"}]}, "published": "2025-03-11T14:15:25.427", "references": [{"source": "cve-assign@fb.com", "url": "https://www.facebook.com/security/advisories/cve-2025-27363"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/13/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/13/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/13/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/13/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/13/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/13/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/14/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/14/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/14/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/14/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3395", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "freetype-0:2.8-15.el7_9.1", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3421", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "freetype-0:2.9.1-10.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3393", "cpe": "cpe:/o:redhat:rhel_aus:8.2", "package": "freetype-0:2.9.1-5.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3382", "cpe": "cpe:/o:redhat:rhel_aus:8.4", "package": "freetype-0:2.9.1-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3382", "cpe": "cpe:/o:redhat:rhel_tus:8.4", "package": "freetype-0:2.9.1-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3382", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "freetype-0:2.9.1-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3385", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "freetype-0:2.9.1-6.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3385", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "freetype-0:2.9.1-6.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3385", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "freetype-0:2.9.1-6.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3386", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "freetype-0:2.9.1-10.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3407", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "freetype-0:2.10.4-10.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3407", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "freetype-0:2.10.4-10.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3387", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "freetype-0:2.10.4-7.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3384", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "freetype-0:2.10.4-10.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:3383", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "freetype-0:2.10.4-10.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-03-31T00:00:00Z"}], "bugzilla": {"description": "freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files", "id": "2351357", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351357"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.", "A flaw was found in FreeType. In affected versions, an out-of-bounds write condition may be triggered when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value, causing it to wrap around and allocate a heap buffer that is too small. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This issue could result in arbitrary code execution or other undefined behavior."], "mitigation": {"lang": "en:us", "value": "By restricting the sources from which font files can be loaded allowing only fonts from trusted sources, as well as validating the input for font files to avoid malformed font structures or any data which could trigger the vulnerability would reduce the risk and mitigate this vulnerability until the fix is provided."}, "name": "CVE-2025-27363", "package_state": [{"cpe": "cpe:/a:redhat:openjdk:11", "fix_state": "Not affected", "package_name": "java-11-openjdk", "product_name": "Red Hat build of OpenJDK 11"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Not affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Not affected", "package_name": "java-21-openjdk-rhel7", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "freetype", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mingw-freetype", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-03-11T13:28:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27363\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27363\nhttps://www.facebook.com/security/advisories/cve-2025-27363"], "statement": "This vulnerability stems from improper handling of data types within the FreeType library during the parsing of font subglyph structures. This could causes incorrect calculations that result in heap buffer allocation being too small. This could allow the library write data beyond the allocated buffer, affecting adjacent memory areas, leading into arbitrary code executions compromising the entire system and system stability such as misleading behaviors in applications which relies on FreeType, or causing possible crashes impacting the entire system.", "threat_severity": "Important"}