U.S. CISA Adds FreeType Flaw to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the popular font library FreeType to its catalog of known exploited vulnerabilities. The addition comes as warning signs mount for users of Android devices, with Google's monthly security updates addressing 46 flaws, including the widely-exploited CVE-2025-27363.

CVE-2025-27363, a vulnerability in FreeType versions 2.13.0 and below, has been deemed a high-risk exploit by CISA, with a CVSS score of 8.1. This means that the vulnerability is considered to be highly severe and could lead to arbitrary code execution.

According to Meta, the company that first disclosed the vulnerability, an out-of-bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. This allows attackers to write up to six signed long integers beyond the bounds of a small heap buffer, potentially leading to arbitrary code execution.

However, Meta notes that the vulnerability does not impact FreeType versions after 2.13.0. The real concern lies with multiple Linux distributions, which are using outdated library versions that leave them vulnerable to attacks.

A Targeted Exploit

Google's monthly security updates for Android addressed 46 flaws, including the widely-exploited CVE-2025-27363 (CVSS score of 8.1). While Google did not disclose any details regarding the attacks or the threat actors exploiting the vulnerability, there are indications that CVE-2025-27363 may be under limited, targeted exploitation.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have a deadline of May 27, 2025, to address identified vulnerabilities like CVE-2025-27363. Private organizations are also urged to review the Catalog and address the vulnerabilities in their infrastructure.

Experts warn that multiple factors make exploitation of this vulnerability more difficult for attackers, including enhancements in newer versions of the Android platform. However, with a high CVSS score, this vulnerability remains a critical threat to users of outdated library versions.

A Call to Action

As CISA urges federal agencies and private organizations to take action against CVE-2025-27363, it is essential for all users to update their systems with the latest version of FreeType. Android users are particularly at risk, given that Google's monthly security updates have addressed this vulnerability.

In conclusion, while the details surrounding the attacks exploiting CVE-2025-27363 remain unknown, one thing is clear: this vulnerability poses a significant threat to users of outdated library versions. As such, it is crucial for organizations and individuals alike to take immediate action to address this known exploited vulnerability.