CISA Adds CVE-2025-27363 to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-27363, a critical out-of-bounds write vulnerability in FreeType, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation in the wild. This vulnerability poses a significant risk to systems relying on FreeType for font rendering, including Linux distributions, embedded systems, and applications using TrueType GX and variable fonts.

1. Overview of CVE-2025-27363

Description

• Vulnerability Type: Out-of-Bounds Write (CWE-787)
• Affected Component: FreeType font rendering library
• Impact: Arbitrary Code Execution (ACE)
• CVSS Score: 8.1 (High)

How It Works

• The vulnerability exists in FreeType versions 2.13.0 and below, specifically when parsing font subglyph structures related to TrueType GX and variable fonts.
• The flawed code incorrectly assigns a signed short value to an unsigned long, causing memory allocation errors.
• Attackers can exploit this flaw to write out-of-bounds memory, potentially leading to remote code execution (RCE).

2. Affected Versions

• FreeType versions 2.13.0 and earlier are vulnerable.
• The issue was patched in FreeType 2.13.1, released on April 15, 2025.

3. Exploitation Details

Active Exploitation

• Threat actors have been observed leveraging CVE-2025-27363 in targeted attacks.
• The vulnerability is particularly dangerous for Linux-based systems, embedded devices, and applications relying on FreeType for font rendering.
• Facebook’s security team has confirmed exploitation attempts targeting web applications and mobile platforms.

Potential Attack Scenarios

• Remote attackers can craft malicious font files that trigger the vulnerability when processed by FreeType.
• Exploited systems may be used for data exfiltration, privilege escalation, or malware deployment.

4. Mitigation Strategies

A. Apply Security Updates

• Organizations using FreeType should immediately upgrade to version 2.13.1 or later.

B. Restrict Font Processing

• Limit exposure of font rendering services to trusted sources.
• Implement sandboxing techniques to isolate font processing from critical system components.

C. Monitor for Exploitation

• Deploy Intrusion Detection Systems (IDS) to flag suspicious font-related activity.
• Audit logs for unexpected memory allocation errors linked to FreeType.

5. Compliance Requirements

Federal Agencies

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must apply patches by May 26, 2025.

6. Conclusion

The inclusion of CVE-2025-27363 in CISA’s KEV Catalog highlights the critical nature of this vulnerability. Organizations using FreeType must prioritize patching, restrict font processing, and monitor for exploitation to mitigate risks.