Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2025003

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

See description.

2025-07-08

2025-07-16

Summary

[FreeType] Upgrade FreeType to v2.13.3

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Upgrade FreeType to v2.13.3 which addresses following vulnerability.

1. CVE-2025-27363
CVSS: 8.1 (Unaffected if developers use kernel default TTF file)
Description: An out of bounds write vulnerability may result in arbitrary code execution.

Note: This issue requires a “specially crafted TTF file” to cause this vulnerability to happen. Any normal, well-formed TTF file will not have this issue. One of the “specially crafted TTF files” would have to be inserted into the BIOS by the BIOS engineer or through flashing in order to be vulnerable. So the CVSS should be reduced to low or medium (3.x or 4.x) because it requires special access to the BIOS build machine in order to be vulnerable.

Solution Information

kernel 5.2, Version 05.2A.13
kernel 5.3, Version 05.39.13
kernel 5.4, Version 05.47.13
kernel 5.5, Version 05.55.13
kernel 5.6, Version 05.62.13
kernel 5.7, Version 05.71.13

Acknowledgements

Revision History

Revision #

Date

Description

2025-07-08

Initial Release

1.1

2025-07-16

Added note to explain the actual impact of this vulnerability.

< Back to Security Pledge