Published: 11/03/2025 Updated: 11/03/2025

Out-of-Bounds Write Vulnerability in FreeType 2.13.0 Enabling Arbitrary Code Execution

An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Vulnerable Product	Search on Vulmon	Subscribe to Product
freetype freetype

FreeType 281 has a signed integer overflow in cf2_doFlex in cff/cf2intrpc (CVE-2025-23022) An out of bounds write exists in FreeType versions 2130 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files The vulnerable code assigns a signed short value to an unsigned long and then adds a stat ...

An out of bounds write exists in FreeType versions 2130 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer The code then write ...

In the following change + if ( FT_QNEW_ARRAY( outlinepoints, limit + 4 ) || + FT_QNEW_ARRAY( outlinetags, limit ) || + FT_QNEW_ARRAY( outlinecontours, limit ) || + FT_QNEW_ARRAY( unrounded, limit + 4 ) ) The out of bounds write requires a short integer overflow with a limit value of 0xFFF ...

Hi Marc, On Thu, Mar 13, 2025 at 10:50:38AM -0400, Marc Deslauriers wrote: It is related to this: gitlabfreedesktoporg/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442 see gitlabfreedesktoporg/freetype/freetype/-/issues/1322#note_2822105 The commit self is only in 2133 Do you have already working ba ...

Thank you for sharing this and for your work on piecing together the commits needed to backport to 2104 On Wed, Mar 12, 2025 at 8:16 PM Michel Lind <michel () michel-slm name> wrote: -- Jonathan Wright AlmaLinux OS Foundation Mattermost: chat <chatalmalinuxorg/almalinux/messages/@jonathan> ...

On Fri, Mar 14, 2025, at 7:55 AM, Marc Deslauriers wrote: That's a good call I've been slightly concerned about those 4 points too Will probably have to cut another fix I'll ask the security folks to weigh in again Thanks, -- _o) Michel Lind _( ) identities: keyoxideorg/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: htt ...

On 2025-03-13 16:50, Vulnerability Disclosure wrote: Marc ...

I don't know much about this bug, which seems to have been announced by Facebook yesterday nvdnistgov/vuln/detail/CVE-2025-27363 The latest version of FreeType is 2133 which is NOT affected, according to the announcement Recent distro versions (eg Ubuntu 2404 with 2132) also look safe However, older distro versions seem to ...

severity: high (CVSS 31: 81) Affected versions: <= 2130 Description: An out of bounds write exists in FreeType versions 2130 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing ...

Hi Michel, On 2025-03-13 22:54, Michel Lind wrote: gitlabfreedesktoporg/freetype/freetype/-/commit/47103b2f195e0f9664c9470182f063cb7d41dc9f -- a/src/truetype/ttgloadc +++ b/src/truetype/ttgloadc @@ -1957,6 +1957,13 @@ limit = (short)gloader->currentnum_subglyphs; + /* make sure this isn't negative as we're ...

Hi, On 2025-03-12 16:57, Michel Lind wrote: Also, if this is meant as the fix: - if ( FT_NEW_ARRAY( points, limit + 4 ) || - FT_NEW_ARRAY( tags, limit + 4 ) || - FT_NEW_ARRAY( contours, limit + 4 ) || - FT_NEW_ARRAY( unrounded, limit + 4 ) ) + if ( FT_QNEW_ARRAY( outlinepoints, limit ...

CISA added this vulnerability to their Known Exploited Vulnerabilities Catalog today, so there will be even more users checking to see if they have it fixed now: wwwcisagov/news-events/alerts/2025/05/06/cisa-adds-one-known-exploited-vulnerability-catalog Hopefully the distros all have patches out already -alan- On 3/12/25 16: ...

On Thu, 2025-03-13 at 20:50 +0000, Vulnerability Disclosure wrote: As a follow-up to that (sorry to keep trickling in information) - it turns out a third commit is required gitlabfreedesktoporg/freetype/freetype/-/commit/c71eb22dde1a3101891a865fdac20a6de814267d FT_QNEW_ARRAY does not do the right thing without this commit, as it was ca ...

Remediation for CVE-2025-27363

Proof-of-concept for CVE-2025-27363 that crashes FreeType 2130 This modifies Roboto Flex, a variable font, so that the "%" character (glyph 8) is now a composite glyph with 0xfffd subglyphs Rendering the edited font with FreeType 2130 (the last version before the fix) crashes, with ASAN detecting a heap buffer overflow in load_truetype_glyph: $ lldb /repos2/fr

Google fixes actively exploited FreeType flaw on Android

BleepingComputer • Bill Toulas • 06 May 2025

Google fixes actively exploited FreeType flaw on Android By Bill Toulas May 6, 2025 09:33 AM 0 Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability. FreeType is a popular open-source font rendering library that displays and programmatically adds text to images. The flaw, tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug discovered by Facebook...

CVE-2025-27363

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect