AZL-58354

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-58354.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-58354

Upstream

CVE-2025-27363

Published

2025-03-11T14:15:25Z

Modified

2026-04-01T05:19:16.927415Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2025-27363 affecting package freetype for versions less than 2.13.1-1

Details

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27363

Affected packages

Azure Linux:2 / freetype

Package

Name: freetype
Purl: pkg:rpm/azure-linux/freetype

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-58354.json"