What is the FreeType vulnerability CVE-2025-27363?

CVE-2025-27363 is a critical out-of-bounds write vulnerability in FreeType's TrueType glyph parsing code, scored CVSS 8.1. It allows malicious font files to execute arbitrary code when processed by any application using FreeType — including Android, Linux desktops, Chrome, and many server-side font processing tools. It was actively exploited in the wild before the patch was released.

How can a font file be malicious?

Font files contain complex binary data structures (glyph outlines, hinting instructions, OpenType layout tables) that must be parsed by the rendering engine. Malformed data in these structures can trigger buffer overflows, integer overflows, or out-of-bounds writes in the parser, potentially allowing arbitrary code execution. This is why font parsing libraries like FreeType are frequent targets.

How do I protect my website from malicious font files?

Only use fonts from trusted sources (Google Fonts, Adobe Fonts, licensed foundries). If you accept user-uploaded fonts, validate them using tools like Font Bakery or our Font Analyzer before serving them. Re-encoding fonts through a converter can strip malicious data by rebuilding the font from parsed glyph data rather than preserving raw binary structures.

Are web fonts served via CSS @font-face affected by font vulnerabilities?

Yes. When a browser downloads a WOFF2 or other font file, it uses a font parsing library (often a FreeType fork or similar) to render glyphs. If the font file is malformed, the parser vulnerability can be triggered in the user's browser. This is why browsers sandbox font rendering and why keeping browsers updated is critical.

Feb 20, 2026Security

Critical FreeType Vulnerability Exploited in Wild — Validate Your Font Files

CVE-2025-27363 is an actively exploited out-of-bounds write in FreeType's glyph parser (CVSS 8.1). Any application that processes font files using FreeType is at risk — including Android, Linux, Chrome, and server-side image generators.

TL;DR

CVE disclosed: March 2025 by Facebook security team; active exploitation confirmed by Google TAG

• CVE-2025-27363 is a critical out-of-bounds write in FreeType (CVSS 8.1), actively exploited in the wild
• Malicious font files can execute arbitrary code when parsed by vulnerable applications
• Affected systems: Android, Linux, Chrome, and any application using FreeType for font rendering
• Mitigation: update FreeType, use fonts only from trusted sources, validate fonts before deployment

Summarize this page with:

ChatGPT Perplexity Claude Grok AI Google AI

Share this page to:

LinkedIn Reddit

In this article

CVE-2025-27363: What Happened

Severity: Critical (CVSS 8.1)

CVE-2025-27363 was actively exploited in targeted attacks before the patch was released. If your application processes untrusted font files using FreeType versions prior to 2.13.1, treat it as compromised until patched.

CVE-2025-27363 is an out-of-bounds write vulnerability discovered in FreeType's TrueType glyph parsing code. Specifically, the vulnerability exists in the handling of subglyph structures within the glyf table — the core table that stores glyph outline data in TrueType and TrueType-based OpenType fonts.

The vulnerability was reported by the Facebook/Meta security team and assigned a CVSS base score of 8.1 (High). Patches were released in FreeType 2.13.1. The critical detail: the vulnerability was being exploited in targeted attacks before the patch was publicly available, meaning there was a period where no defense existed other than avoiding untrusted font files entirely.

CVE-2025-27363 at a Glance

CVE ID	CVE-2025-27363
CVSS Score	8.1 (High)
Type	Out-of-bounds write (CWE-787)
Component	FreeType TrueType glyf parser (subglyph handling)
Reported by	Facebook/Meta Security Team
Patched in	FreeType 2.13.1
Exploited	Yes — in the wild before patch

FreeType is one of the most widely deployed font rendering libraries in the world, used across Android, Linux desktops, Chrome, Firefox, and countless server-side applications. Its ubiquity is precisely what makes vulnerabilities in it so severe — a single flaw in FreeType can affect billions of devices simultaneously. This is not the first FreeType vulnerability of this class; CVE-2023-44429 and several earlier CVEs demonstrate that font parsing is a persistent attack surface.

How Font File Exploits Work

Font files are complex binary formats containing dozens of tables, each with its own internal structure and cross-references. The TrueType glyf table stores glyph outlines as a series of contour points. Composite glyphs — glyphs assembled from multiple simpler components — are defined by subglyph structures that reference other glyphs by index and specify transformation matrices.

CVE-2025-27363 arises because FreeType's parser allocates a buffer based on one count of subglyph structures, but then writes based on a different (larger) count derived from malformed data later in the same record. This is a classic time-of-check/time-of-use class of allocation error: the memory is sized correctly for the declared component count, but the actual write uses a malformed component count that exceeds the allocation — writing bytes beyond the end of the allocated region.

Attack Flow

Malicious font delivered

Attacker distributes a specially crafted TTF or OTF file via download, email attachment, web page font, or user-upload endpoint.

Parser reads glyf table

Application passes the font to FreeType for rendering. FreeType begins parsing the glyf table to extract glyph outlines.

Malformed subglyph data encountered

A composite glyph record contains a manipulated component count. The parser allocates memory for the declared count but processes a larger count from a second read.

Out-of-bounds write triggered

FreeType writes subglyph data beyond the end of the allocated buffer, corrupting adjacent memory structures in the heap.

Code execution achieved

With careful heap shaping, the attacker controls what gets overwritten and achieves arbitrary code execution in the context of the application's process.

This is not an isolated class of vulnerability. FreeType has experienced similar issues in CVE-2023-44429 (heap buffer overflow in WOFF2 processing), and OS-level font rasterizers on Windows and macOS have historically accumulated CVEs for analogous parsing flaws. The reason font parsers are perennially vulnerable is structural: they must process attacker-controlled binary data through complex nested formats, often with tight performance constraints that discourage defensive bounds checking at every level.

Why Re-encoding Helps

When a font is processed through a converter that re-parses and re-serializes the font from scratch (rather than copying raw binary), the malicious binary payload is discarded. The output font is rebuilt from the parsed glyph data — composite glyph structures are re-written with correct counts, stripping the malformed records that trigger the vulnerability. This is why running fonts through a trusted converter is a practical mitigation step.

Who Is Affected

FreeType's deployment breadth means the affected surface is enormous. Billions of devices run software that links against FreeType directly or a fork/derivative of it. The systems below represent the highest-impact affected environments.

System	Font Engine	Status
Android (pre-March 2025 patch)	FreeType (system library)	Vulnerable
Linux desktops (GNOME, KDE)	FreeType via fontconfig/Cairo	Patch available, adoption varies
Google Chrome	FreeType fork (Skia)	Patched in Chrome update
Mozilla Firefox	FreeType (bundled)	Patched in Firefox update
Node.js font processing libs	FreeType via native bindings	Depends on system FreeType version
Server-side image generators	ImageMagick, Pillow, Cairo (link FreeType)	Critical — process untrusted fonts

The highest practical risk is in server-side systems that accept user-uploaded fonts — image generation APIs, PDF renderers, thumbnail generators, and similar services. These systems run FreeType in a server process with potentially broad network access, making code execution particularly dangerous. A malicious font upload can compromise the entire server, not just the requesting user's session.

For end-user devices, the patch adoption rate is the critical variable. Android distributes security patches monthly but device-level adoption is notoriously slow — many devices remain unpatched for months or years. Linux users who keep packages updated are protected, but distributions vary in how quickly they backport security patches to stable releases.

Font Security Best Practices

CVE-2025-27363 is one instance of a recurring pattern. Font file security requires ongoing hygiene, not just a one-time patch response. These practices reduce your exposure to this vulnerability and future ones in the same class.

Do

✓Use fonts exclusively from trusted sources: Google Fonts, Adobe Fonts, licensed foundries with established security practices
✓Validate font files with Font Bakery or our Font Analyzer before deploying to production
✓Re-encode fonts through a converter before serving — this rebuilds the font from parsed data, stripping malicious binary structures
✓Keep FreeType and all font-processing dependencies updated to 2.13.1 or later
✓For user-uploaded fonts: sandbox the parsing process, validate before serving, never parse directly in the main application process

Don't

✗Do not use fonts downloaded from random websites, forums, or file sharing services without validation
✗Do not serve user-uploaded fonts without sanitization — validate and re-encode before storing or serving
✗Do not assume file extension or MIME type validates safety — malformed data hides inside valid-looking containers
✗Do not defer FreeType updates — this vulnerability was exploited in the wild and patches must be applied promptly
✗Do not process fonts from untrusted sources in the same process context as sensitive application logic or data

The re-encoding approach deserves elaboration. When a font is parsed by a converter that reconstructs the binary output from the parsed semantic representation — rather than copying raw table bytes — the malicious binary payload cannot survive. The composite glyph structures are re-serialized from the parsed component list with correct counts. The resulting font is structurally clean because it was never copied from the malformed source; it was rebuilt. This is distinct from converters that repackage fonts by copying table chunks, which would preserve the malicious data.

Validating with Font Bakery or our online Font Analyzer catches structural anomalies that indicate a potentially weaponized font. Malformed subglyph structures, invalid component counts, and out-of-range offsets are all detectable through structural validation — the same checks that a parser would make, but in a controlled, sandboxed environment without executing rendering code.

What to Do Now

If you serve web fonts, process user-uploaded fonts, or manage font assets in any capacity, take these specific steps immediately.

Validate Your Font Files

Run every font in your project through the Font Analyzer. It performs structural validation, detects malformed tables, and identifies files that may have been tampered with. Flag any font with unexpected composite glyph structures or out-of-range component counts for immediate review.

Open Font Analyzer

Check Font Licensing and Provenance

Fonts of unknown origin are both a legal risk and a security risk. The Font License Checker identifies licensing terms and flags fonts with missing or invalid license metadata — a common characteristic of fonts distributed through unofficial channels (which are also more likely to be malicious).

Open Font License Checker

Re-encode Fonts Through the Converter

For any font of uncertain provenance, run it through our converter. The conversion process parses the font at the semantic level and rebuilds the output from scratch — discarding any malformed binary data that cannot be represented in a valid parsed structure. This is the most practical sanitization step available without specialized font security tooling.

Open Font Converter

Sarah Mitchell

Product Designer, Font Specialist

Validate Your Fonts

Detect structural anomalies, validate provenance, and re-encode fonts to strip potentially malicious binary data.

Font Analyzer Font Converter

FreeType Vulnerability FAQs

Common questions about CVE-2025-27363 and font file security