CVE-2025-27363

What is FreeType?

FreeType is the world's most widely used open-source font rendering library. It processes TrueType, OpenType, Type 1, and other font formats to render glyphs on screen. FreeType is embedded in Android, Linux distributions (Fedora, Ubuntu, Debian, etc.), macOS, Chrome, Firefox, GNOME, KDE, and countless applications that display text. Because font processing happens automatically whenever text is rendered — including from remote sources like web pages, documents, and messaging apps — FreeType vulnerabilities have an extremely broad attack surface that can be triggered without explicit user action.

Overview

CVE-2025-27363 is an out-of-bounds write vulnerability (CWE-787) in FreeType triggered when parsing font subglyph structures related to TrueType GX and variable font files. A crafted font file can cause FreeType to write beyond an allocated buffer, resulting in heap corruption and potentially arbitrary code execution. Meta reported active exploitation in the wild, and Google confirmed the vulnerability was exploited before Android's May 2025 Security Bulletin. Any application that processes untrusted fonts is potentially exposed — including Android system components, web browsers, and email clients.

Affected Versions

Technical Details

The out-of-bounds write (CWE-787) occurs in FreeType's parsing of TrueType GX (a format for variable fonts — fonts that can smoothly interpolate between design axes like weight, width, and slant) and more broadly variable font files. When processing subglyph composite structures, the code computes an offset or count without properly validating it against the available buffer size, writing beyond the end of an allocated heap buffer.

Heap corruption from the out-of-bounds write can be exploited by carefully constructing the font file to achieve an arbitrary write primitive, then leveraging it for code execution. The High attack complexity (AC:H) reflects that exploiting the vulnerability requires a specifically crafted font with the right structure to achieve reliable heap corruption — not trivial, but demonstrated in active exploitation.

Exploitation vectors on Android:

• Malicious image or document containing an embedded custom font (WhatsApp, Signal, email attachments)
• Web page with a custom @font-face CSS declaration loading a crafted font file
• Rendering of text in any app that uses FreeType for font processing

Discovery

Meta's security research team identified active exploitation in the wild and published a security advisory. Google confirmed the vulnerability was being exploited before the Android May 2025 patch.

Exploitation Context

Active exploitation was confirmed by both Meta and Google before the CISA KEV listing on May 6, 2025. The two-month gap between the FreeType 2.13.4 release (March 11) and the KEV listing (May 6) reflects the time taken to confirm exploitation and the time for Android OEMs to integrate the patch.

The exploitation vector — a malicious font embedded in a message or document — makes this well-suited for targeted delivery via messaging platforms (WhatsApp, iMessage, Telegram) or email. The broad deployment of FreeType across all Android versions, Linux distributions, and applications makes the attack surface universal.

Remediation

1. Apply Android May 2025 security patches (patch level 2025-05-01 or later) on all Android 13–15 devices. The CISA deadline was May 27, 2025.
2. Update FreeType to 2.13.4 or later on Linux servers and workstations. Check your distribution's package repository:
   • Debian/Ubuntu: apt update && apt install libfreetype6
   • RHEL/Fedora: dnf update freetype
3. Apply macOS security updates — Apple integrates FreeType fixes into OS updates.
4. Update Chrome and Firefox — both bundle FreeType and will ship updates incorporating the fix.
5. Treat untrusted fonts as executable content — block custom fonts in email clients and document viewers where possible; configure browsers to restrict @font-face to trusted domains.