Pierluigi Paganini May 07, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds FreeType flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FreeType flaw, tracked as CVE-2025-27363 (CVSS score of 8.1), to its Known Exploited Vulnerabilities (KEV) catalog.

In mid-March, Meta warned that the out-of-bounds write vulnerability CVE-2025-27363 may have been actively exploited in attacks.

“An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files.” reads the advisory published by Meta. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution.”

The company did not disclose details on the attacks exploiting this vulnerability, attackers, or attack scale.

“This vulnerability may have been exploited in the wild.” continues the advisory.

The vulnerability doesn’t impact FreeType versions after 2.13.0.

The experts warn that multiple Linux distributions are using an outdated library version, making them vulnerable to attacks.

“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.” concludes the Google’s Bulletin.

This week, Google’s monthly security updates for Android addressed 46 flaws, including the flaw CVE-2025-27363 (CVSS score of 8.1) that has been exploited in the wild. The company did not disclose any details regarding the attacks or the threat actors exploiting the vulnerability.

The vulnerability resides in the System component, and successful exploitation could lead to local code execution.

“The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed. User interaction is not needed for exploitation.” reads the Android Security Bulletin—May 2025.

“There are indications that CVE-2025-27363 may be under limited, targeted exploitation.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by May 27, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)