CVE-2025-27363

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 5 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

70.76%

probability

This CVE has a 70.76% probability of being exploited in the next 30 days.

0% Top 98.7th percentile of all CVEs 100%

CVSS score unavailable

Neither CIRCL nor NVD returned a CVSS score for this CVE. View on VulnerabilityLookup ↗

Description

Project Zero

OOB write

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Patched

March 11, 2025

Reported by

Exploits & PoC

zhuowei/CVE-2025-27363-proof-of-concept

PoC CVE-2025-27363 — zhuowei/CVE-2025-27363-proof-of-concept

tin-z/CVE-2025-27363

Integer overflow in FreeType software, which also affects Chrome

2 repos — triés par ⭐ Rechercher sur GitHub ↗

Meta Warns of FreeType Vulnerability (CVE-2025-27363) With Active Exploitation Risk

TheHackerNews

CVE-2025-27363 An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Microsoft-MSRC Feb 18, 2026

Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers

TheHackerNews

⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More

TheHackerNews

Oracle Critical Patch Update, July 2025 Security Update Review

Qualys Jul 16, 2025

Signal Intelligence

Confidenceⓘ

92%

EPSS 70.76%

Mentions 5

Last Seen Feb 18, 2026

CNA Information

Analyst Note

CVE-2025-27363 is a high-severity out-of-bounds write vulnerability in FreeType with clear technical details, a CVSS v3 score of 8.1, and reported involvement by Google Project Zero. The Microsoft Security Response Center documentation and explicit statement of potential wild exploitation provide strong validation of the confirmed status.