- Facebook warned about a flaw in FreeType which could be used in remote code execution
- The flaw “may have been exploited in the wild,” the company said
- A patch was recently released to address the vulnerability
Facebook is warning about an out of bounds write vulnerability in FreeType, which could allow threat actors to remotely execute arbitrary code (RCE). In a security advisory published by the company, it said that the vulnerability “may have been exploited in the wild.”
FreeType is an open-source software library that renders fonts. It supports various formats like TrueType, OpenType, and Type1, and is widely used in graphics applications, game engines, and operating systems to display high-quality text.
Major projects like Android, Linux, Unreal Engine, and ChromeOS rely on it for font rendering.
Patching the bug
The vulnerability is tracked as CVE-2025-27363, and was given a severity score of 8.1 (high). It affects the library’s versions 2.13.0 and older.
It can be triggered “when attempting to parse font subglyph structures related to TrueType GX and variable font files,” Facebook explained in the advisory. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer.”
While Facebook was the one warning about the vulnerability, it is unclear if it is relying on the library and in what capacity. Also, it said the vulnerability “may have been exploited in the wild,” but did not elaborate if it saw the attacks on its own platform, or elsewhere.
To tackle the problem, software developers should upgrade their FreeType to the latest version (2.13.3) as soon as possible. The first clean version is 2.13.1, although the FreeType website mentions nothing about a security upgrade.
“This is a maintenance release with only minor changes,” it was said on the updates page.
Via BleepingComputer
Leave a comment