Meta warns of worrying security flaw hitting open source type software

News
By published

FreeType carried a flaw that allowed for remote code execution.

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • Facebook warned about a flaw in FreeType which could be used in remote code execution
  • The flaw "may have been exploited in the wild," the company said
  • A patch was recently released to address the vulnerability

Facebook is warning about an out of bounds write vulnerability in FreeType, which could allow threat actors to remotely execute arbitrary code (RCE). In a security advisory published by the company, it said that the vulnerability “may have been exploited in the wild.”

FreeType is an open-source software library that renders fonts. It supports various formats like TrueType, OpenType, and Type1, and is widely used in graphics applications, game engines, and operating systems to display high-quality text.

Major projects like Android, Linux, Unreal Engine, and ChromeOS rely on it for font rendering.

Patching the bug

The vulnerability is tracked as CVE-2025-27363, and was given a severity score of 8.1 (high). It affects the library’s versions 2.13.0 and older.

It can be triggered “when attempting to parse font subglyph structures related to TrueType GX and variable font files,” Facebook explained in the advisory. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer.”

While Facebook was the one warning about the vulnerability, it is unclear if it is relying on the library and in what capacity. Also, it said the vulnerability “may have been exploited in the wild,” but did not elaborate if it saw the attacks on its own platform, or elsewhere.

To tackle the problem, software developers should upgrade their FreeType to the latest version (2.13.3) as soon as possible. The first clean version is 2.13.1, although the FreeType website mentions nothing about a security upgrade.

“This is a maintenance release with only minor changes,” it was said on the updates page.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.