Meta has recently alerted users to a severe security vulnerability in the FreeType open-source font rendering library, which may have been exploited in the wild. The vulnerability, identified as CVE-2025-27363, carries a CVSS score of 8.1, indicating its high severity. It is classified as an out-of-bounds write flaw that could allow remote code execution when parsing specific font files. The issue affects FreeType versions 2.13.0 and earlier, posing a serious risk to systems using these versions of the library. Systems still running these versions are especially vulnerable to potential attacks from malicious actors.
The vulnerability arises from improper handling of font subglyph structures, specifically those related to TrueType GX and variable font files. In vulnerable versions, a signed short value is incorrectly assigned to an unsigned long, causing the value to overflow and resulting in a heap buffer allocation that is too small. This issue leads to an out-of-bounds write, allowing attackers to overwrite memory beyond the buffer’s limits. When successfully exploited, this could result in arbitrary code execution on the affected system, creating a critical security threat for users with vulnerable versions of FreeType installed.
Meta’s advisory did not provide specific details on how the vulnerability is being exploited, the identity of the attackers, or the scale of attacks.
However, FreeType developer Werner Lemberg confirmed that a fix has been available for almost two years in versions of the library newer than 2.13.0. Despite this, several widely used Linux distributions still run outdated versions of FreeType, making them susceptible to the flaw. These distributions include AlmaLinux, Alpine Linux, Ubuntu, RHEL, and others.
All of which are at risk of exploitation due to the presence of the unpatched vulnerability in their systems.
To address the security risks posed by CVE-2025-27363, users are urged to immediately update to FreeType version 2.13.3 or later, which includes the necessary fix. Additionally, users should monitor their systems for unusual behavior that might indicate active exploitation attempts. Implementing extra security measures, such as firewalls, intrusion detection systems, and other defense tools, is also highly recommended to protect against potential attacks. Prompt action is essential to prevent the exploitation of this critical vulnerability and to secure systems from potential breaches.
