VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-1c6t-8uk8-53c9

Essentials
Severities (64)
References (44)
Severity details (7)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-1c6t-8uk8-53c9
Aliases	CVE-2025-27363
Summary	freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files
Status	Published
Exploitability	2.0
Weighted Severity	8.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-787

Out-of-bounds Write

System	Score	Found at
cvssv3	8.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27363.json
epss	0.01973	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.02534	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.04114	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.04114	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.04114	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.04114	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.05369	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.05369	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.05369	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.05369	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.05369	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.05369	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.05369	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.0769	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.0769	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.08283	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.09488	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.09488	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.09488	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.09488	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.09488	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.09488	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.13074	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.13074	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.13074	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.13074	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.13074	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.13074	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.63313	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.63313	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.63313	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.63313	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.66208	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.66208	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.68423	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.68423	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.68423	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.68423	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.68423	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.68423	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.68423	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.71523	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.73011	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.73011	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.74291	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.75464	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.75464	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.75464	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.75464	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
epss	0.75464	https://api.first.org/data/v1/epss?cve=CVE-2025-27363
cvssv3.1	8.1	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2025-27363
archlinux	High	https://security.archlinux.org/AVG-2877
cvssv3.1	8.1	https://www.facebook.com/security/advisories/cve-2025-27363
ssvc	Attend	https://www.facebook.com/security/advisories/cve-2025-27363
ssvc	Track	https://www.facebook.com/security/advisories/cve-2025-27363

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27363.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-27363
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27363
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
		https://source.android.com/docs/security/bulletin/2025-05-01
		http://www.openwall.com/lists/oss-security/2025/03/13/1
		http://www.openwall.com/lists/oss-security/2025/03/13/11
		http://www.openwall.com/lists/oss-security/2025/03/13/12
		http://www.openwall.com/lists/oss-security/2025/03/13/2
		http://www.openwall.com/lists/oss-security/2025/03/13/3
		http://www.openwall.com/lists/oss-security/2025/03/13/8
		http://www.openwall.com/lists/oss-security/2025/03/14/1
		http://www.openwall.com/lists/oss-security/2025/03/14/2
		http://www.openwall.com/lists/oss-security/2025/03/14/3
		http://www.openwall.com/lists/oss-security/2025/03/14/4
		http://www.openwall.com/lists/oss-security/2025/05/06/3
2351357		https://bugzilla.redhat.com/show_bug.cgi?id=2351357
ASA-202505-11		https://security.archlinux.org/ASA-202505-11
AVG-2877		https://security.archlinux.org/AVG-2877
cpe:2.3:a:freetype:freetype::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:freetype:freetype::::::::
cpe:2.3:o:debian:debian_linux:11.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:::::::*
cve-2025-27363		https://www.facebook.com/security/advisories/cve-2025-27363
CVE-2025-27363		https://nvd.nist.gov/vuln/detail/CVE-2025-27363
GLSA-202505-07		https://security.gentoo.org/glsa/202505-07
RHSA-2025:3382		https://access.redhat.com/errata/RHSA-2025:3382
RHSA-2025:3383		https://access.redhat.com/errata/RHSA-2025:3383
RHSA-2025:3384		https://access.redhat.com/errata/RHSA-2025:3384
RHSA-2025:3385		https://access.redhat.com/errata/RHSA-2025:3385
RHSA-2025:3386		https://access.redhat.com/errata/RHSA-2025:3386
RHSA-2025:3387		https://access.redhat.com/errata/RHSA-2025:3387
RHSA-2025:3393		https://access.redhat.com/errata/RHSA-2025:3393
RHSA-2025:3395		https://access.redhat.com/errata/RHSA-2025:3395
RHSA-2025:3407		https://access.redhat.com/errata/RHSA-2025:3407
RHSA-2025:3421		https://access.redhat.com/errata/RHSA-2025:3421
RHSA-2025:3573		https://access.redhat.com/errata/RHSA-2025:3573
RHSA-2025:4409		https://access.redhat.com/errata/RHSA-2025:4409
RHSA-2025:8195		https://access.redhat.com/errata/RHSA-2025:8195
RHSA-2025:8219		https://access.redhat.com/errata/RHSA-2025:8219
RHSA-2025:8253		https://access.redhat.com/errata/RHSA-2025:8253
RHSA-2025:8292		https://access.redhat.com/errata/RHSA-2025:8292
RHSA-2025:9380		https://access.redhat.com/errata/RHSA-2025:9380
USN-7352-1		https://usn.ubuntu.com/7352-1/
USN-7352-2		https://usn.ubuntu.com/7352-2/

Data source	KEV
Date added	May 6, 2025
Description	FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.
Required action	Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date	May 27, 2025
Note	This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2025-05-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-27363
Ransomware campaign use	Unknown

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27363.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-27363

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H Found at https://www.facebook.com/security/advisories/cve-2025-27363

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-05-06T17:42:06Z/ Found at https://www.facebook.com/security/advisories/cve-2025-27363

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-11T13:40:54Z/ Found at https://www.facebook.com/security/advisories/cve-2025-27363

Exploit Prediction Scoring System (EPSS)

Percentile	0.72679
EPSS Score	0.01973
Published At	March 29, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-03-28T05:41:56.424887+00:00	RedHat Importer	Import	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27363.json	36.0.0