FreeType Out-of-Bounds Write Vulnerability Added to CISA Known Exploited Vulnerabilities Catalog (CVE-2025-27363)

Google released its May 2025 security updates for Android, addressing 45 security vulnerabilities. One of the 45 vulnerabilities is an actively exploited zero-click FreeType 2 code execution vulnerability. CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog. CISA urged users to patch the flaw before May 27, 2025.

FreeType is a free and open-source software library used for rendering fonts. It converts vector font data into bitmaps that can be displayed on a screen. The tool can be understood as a translator that takes the complex mathematical descriptions of fonts and converts them into pixel-based images.

Vulnerability Details

Facebook discovered a critical arbitrary code execution vulnerability in FreeType. The vulnerability originates when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value, causing it to wrap around and allocate too small a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer.

Affected Versions

The vulnerability affects FreeType versions before 2.13.0.

Mitigation

Users must upgrade to FreeType version 2.13.0 to patch the vulnerability.

For more information, please refer to the Android Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 610653 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://source.android.com/docs/security/bulletin/2025-05-01
https://www.facebook.com/security/advisories/cve-2025-27363