freetype-2.9.1-9.el8.ML.1

The FreeType engine is a free and portable font rendering
engine, developed to provide advanced font support for a variety of
platforms and environments. FreeType is a library which can open and
manages font files as well as efficiently load, hint and render
individual glyphs. FreeType is not a font server or a complete
text-rendering library.

Security Fix(es):

An out of bounds write exists in FreeType versions 2.13.0 and below (newer
versions of FreeType are not vulnerable) when attempting to parse font subglyph
structures related to TrueType GX and variable font files. The vulnerable code
assigns a signed short value to an unsigned long and then adds a static value
causing it to wrap around and allocate too small of a heap buffer. The code then
writes up to 6 signed long integers out of bounds relative to this buffer. This
may result in arbitrary code execution. This vulnerability may have been
exploited in the wild. (CVE-2025-27363)

CVE(s):
CVE-2025-27363
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.