Meta warns of worrying security flaw hitting open source type software

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)

  • Facebook warned about a flaw in FreeType which could be used in remote code execution
  • The flaw "may have been exploited in the wild," the company said
  • A patch was recently released to address the vulnerability

Facebook is warning about an out of bounds write vulnerability in FreeType, which could allow threat actors to remotely execute arbitrary code (RCE). In a security advisory published by the company, it said that the vulnerability “may have been exploited in the wild.”

FreeType is an open-source software library that renders fonts. It supports various formats like TrueType, OpenType, and Type1, and is widely used in graphics applications, game engines, and operating systems to display high-quality text.

Major projects like Android, Linux, Unreal Engine, and ChromeOS rely on it for font rendering.

Patching the bug

The vulnerability is tracked as CVE-2025-27363, and was given a severity score of 8.1 (high). It affects the library’s versions 2.13.0 and older.

It can be triggered “when attempting to parse font subglyph structures related to TrueType GX and variable font files,” Facebook explained in the advisory. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer.”

While Facebook was the one warning about the vulnerability, it is unclear if it is relying on the library and in what capacity. Also, it said the vulnerability “may have been exploited in the wild,” but did not elaborate if it saw the attacks on its own platform, or elsewhere.

To tackle the problem, software developers should upgrade their FreeType to the latest version (2.13.3) as soon as possible. The first clean version is 2.13.1, although the FreeType website mentions nothing about a security upgrade.

“This is a maintenance release with only minor changes,” it was said on the updates page.

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A person holding out their hand with a digital AI symbol.
Meta Llama LLM security flaw could let hackers easily breach systems and spread malware
Facebook on laptop
Researcher nets major reward for finding Facebook bug able to unlock the gates to its internal systems
WordPress
Another top WordPress plugin found carrying critical security flaws
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
Digital image of a lock.
Fortinet flags some worrying security bugs coming back from the dead
Latest in Security
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
ID theft
Hackers claim Orange attack, threaten to leak 1TB of data
Latest in News
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors
Student sat at a desk with a laptop in a dormitory looking at a mobile phone
Windows 11 could eventually help you understand how fast your PC is - as well as offer tips for making your PC or laptop faster for free
Veresa attacks an enemy in Genshin Impact.
Genshin Impact Version 5.5 arrives next week, adding a new five star character obsessed with food
Google Pixel 9a
Google just launched the Pixel 9a – and I reckon it embarrasses the iPhone 16e
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Adobe Firefly
Adobe launches game-changing GenAI tools for video editing