SUSE update for freetype2



| Updated: 2025-05-30
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2025-27363
CWE-ID CWE-787
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
 SUSE Linux Enterprise High Performance Computing LTSS 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing ESPOS 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP5
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP3
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP4
Operating systems & Components / Operating system

Desktop Applications Module
Operating systems & Components / Operating system

Basesystem Module
Operating systems & Components / Operating system

SUSE Linux Enterprise Real Time 15
Operating systems & Components / Operating system

openSUSE Leap
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Desktop 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Micro
Operating systems & Components / Operating system

SUSE Linux Enterprise Micro for Rancher
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15
Operating systems & Components / Operating system

SUSE Enterprise Storage
Operating systems & Components / Operating system

SUSE Manager Retail Branch Server
Operating systems & Components / Operating system

SUSE Manager Server
Operating systems & Components / Operating system

SUSE Manager Proxy
Operating systems & Components / Operating system

ft2demos
Operating systems & Components / Operating system package or component

freetype2-profile-tti35
Operating systems & Components / Operating system package or component

freetype2-devel-32bit
Operating systems & Components / Operating system package or component

libfreetype6-32bit
Operating systems & Components / Operating system package or component

libfreetype6-32bit-debuginfo
Operating systems & Components / Operating system package or component

ftgrid
Operating systems & Components / Operating system package or component

ftlint
Operating systems & Components / Operating system package or component

ftbench
Operating systems & Components / Operating system package or component

libfreetype6-debuginfo
Operating systems & Components / Operating system package or component

ftdump
Operating systems & Components / Operating system package or component

freetype2-debugsource
Operating systems & Components / Operating system package or component

ftview
Operating systems & Components / Operating system package or component

ftvalid
Operating systems & Components / Operating system package or component

ftmulti
Operating systems & Components / Operating system package or component

ftdiff
Operating systems & Components / Operating system package or component

libfreetype6
Operating systems & Components / Operating system package or component

freetype2-devel
Operating systems & Components / Operating system package or component

ftgamma
Operating systems & Components / Operating system package or component

ftstring
Operating systems & Components / Operating system package or component

ftinspect
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Out-of-bounds write

EUVDB-ID: #VU105715

Risk: Critical

CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2025-27363

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can pass a specially crafted font to the application that is using an affected version of the library, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Update the affected package freetype2 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP5: LTSS

SUSE Linux Enterprise Server 15 SP3: LTSS

SUSE Linux Enterprise Server 15 SP4: LTSS

Desktop Applications Module: 15-SP6

Basesystem Module: 15-SP6

SUSE Linux Enterprise Real Time 15: SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP6

SUSE Linux Enterprise Server 15: SP3 - SP6

SUSE Linux Enterprise Desktop 15: SP6

SUSE Linux Enterprise Micro: 5.1 - 5.5

SUSE Linux Enterprise Micro for Rancher: 5.2 - 5.4

SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

ft2demos: before 2.10.4-150000.4.18.1

freetype2-profile-tti35: before 2.10.4-150000.4.18.1

freetype2-devel-32bit: before 2.10.4-150000.4.18.1

libfreetype6-32bit: before 2.10.4-150000.4.18.1

libfreetype6-32bit-debuginfo: before 2.10.4-150000.4.18.1

ftgrid: before 2.10.4-150000.4.18.1

ftlint: before 2.10.4-150000.4.18.1

ftbench: before 2.10.4-150000.4.18.1

libfreetype6-debuginfo: before 2.10.4-150000.4.18.1

ftdump: before 2.10.4-150000.4.18.1

freetype2-debugsource: before 2.10.4-150000.4.18.1

ftview: before 2.10.4-150000.4.18.1

ftvalid: before 2.10.4-150000.4.18.1

ftmulti: before 2.10.4-150000.4.18.1

ftdiff: before 2.10.4-150000.4.18.1

libfreetype6: before 2.10.4-150000.4.18.1

freetype2-devel: before 2.10.4-150000.4.18.1

ftgamma: before 2.10.4-150000.4.18.1

ftstring: before 2.10.4-150000.4.18.1

ftinspect: before 2.10.4-150000.4.18.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2025/suse-su-20250998-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###