How severe is CVE-2025-27363?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2025-27363?

This is classified as CWE-787, which is a common weakness in software security.

CVE-2025-27363 - HIGH Severity | CVSS 8.1

Vulnerability Description

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Related Vulnerabilities

CVE-2012-0754

HIGH

CVSS:8.1(High)

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attack...

CWE-7872012

CVE-2016-2371

HIGH

CVSS:8.1(High)

An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.

CWE-7872016

CVE-2017-2780

HIGH

CVSS:8.1(High)

An exploitable heap buffer overflow vulnerability exists in the X509 certificate parsing functionality of InsideSecure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a buffer overflo...

CWE-7872017

CVE-2017-2781

HIGH

CVSS:8.1(High)

CWE-7872017

CVE-2018-5210

HIGH

CVSS:8.1(High)

On Samsung mobile devices with N(7.x) software and Exynos chipsets, attackers can conduct a Trustlet stack overflow attack for arbitrary TEE code execution, in conjunction with a brute-force attack to...

CWE-7872018

CVE-2019-11516

HIGH

CVSS:8.1(High)

An issue was discovered in the Bluetooth component of the Cypress (formerly owned by Broadcom) Wireless IoT codebase. Extended Inquiry Responses (EIRs) are improperly handled, which causes a heap-base...

CWE-7872019