Search for vulnerabilities
| Vulnerability ID | VCID-uy24-k7je-pyhr |
| Aliases |
CVE-2025-27363
|
| Summary | A vulnerability has been discovered in FreeType, which can lead to remote code execution. |
| Status | Published |
| Exploitability | 2.0 |
| Weighted Severity | 8.0 |
| Risk | 10.0 |
| Affected and Fixed Packages | Package Details |
| CWE-787 | Out-of-bounds Write |
| System | Score | Found at |
|---|---|---|
| cvssv3 | 8.1 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27363.json |
| epss | 0.63439 | https://api.first.org/data/v1/epss?cve=CVE-2025-27363 |
| epss | 0.64976 | https://api.first.org/data/v1/epss?cve=CVE-2025-27363 |
| epss | 0.64976 | https://api.first.org/data/v1/epss?cve=CVE-2025-27363 |
| epss | 0.64976 | https://api.first.org/data/v1/epss?cve=CVE-2025-27363 |
| epss | 0.64976 | https://api.first.org/data/v1/epss?cve=CVE-2025-27363 |
| epss | 0.64976 | https://api.first.org/data/v1/epss?cve=CVE-2025-27363 |
| cvssv3.1 | 8.1 | https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml |
| archlinux | High | https://security.archlinux.org/AVG-2877 |
| cvssv3.1 | 8.1 | https://www.facebook.com/security/advisories/cve-2025-27363 |
| ssvc | Attend | https://www.facebook.com/security/advisories/cve-2025-27363 |
| Data source | KEV |
|---|---|
| Date added | May 6, 2025 |
| Description | FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution. |
| Required action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| Due date | May 27, 2025 |
| Note | This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2025-05-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-27363 |
| Ransomware campaign use | Unknown |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.98411 |
| EPSS Score | 0.63439 |
| Published At | April 13, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-01T13:01:06.196243+00:00 | Gentoo Importer | Import | https://security.gentoo.org/glsa/202505-07 | 38.0.0 |