Facebook Discloses Freetype 2 Flaw Exploited in Attacks
Summary:
Facebook has issued a warning about a critical vulnerability in FreeType, an open-source font rendering library widely used across multiple platforms, including Linux, Android, game engines, GUI frameworks, and online services. The flaw, tracked as CVE-2025-27363, has been assigned a CVSS v3 severity score of 8.1 (high) and affects all FreeType versions up to 2.13.0. Reports indicate that the vulnerability has already been exploited in real-world attacks. The issue arises from an out-of-bounds write when parsing font subglyph structures related to TrueType GX and variable font files. Specifically, the vulnerable code assigns a signed short value to an unsigned long, then adds a static value that causes an overflow, leading to an incorrectly allocated heap buffer. This faulty allocation allows the writing of up to six signed long integers beyond the buffer boundary, creating an opportunity for arbitrary code execution.
Security Officer Comments:
The vulnerability was patched in FreeType 2.13.0 on February 9, 2023, yet older versions of the library remain embedded in many software projects. FreeType is deeply integrated into various systems, and outdated versions may persist for years, making it critical for developers and administrators to immediately upgrade to FreeType 2.13.3, the latest available version, to mitigate potential risks.
Suggested Corrections:
Facebook disclosed the flaw publicly, though it remains unclear whether the attacks observed by its security team occurred on its own platform or were identified elsewhere. Meta responded to inquiries by emphasizing its commitment to improving security in open-source software, stating that reporting such vulnerabilities strengthens online security for all users. Given the widespread reliance on FreeType, software vendors and project maintainers are urged to prioritize patching to prevent potential exploitation.
Link(s):
https://www.bleepingcomputer.com/ne...scloses-freetype-2-flaw-exploited-in-attacks/
Facebook has issued a warning about a critical vulnerability in FreeType, an open-source font rendering library widely used across multiple platforms, including Linux, Android, game engines, GUI frameworks, and online services. The flaw, tracked as CVE-2025-27363, has been assigned a CVSS v3 severity score of 8.1 (high) and affects all FreeType versions up to 2.13.0. Reports indicate that the vulnerability has already been exploited in real-world attacks. The issue arises from an out-of-bounds write when parsing font subglyph structures related to TrueType GX and variable font files. Specifically, the vulnerable code assigns a signed short value to an unsigned long, then adds a static value that causes an overflow, leading to an incorrectly allocated heap buffer. This faulty allocation allows the writing of up to six signed long integers beyond the buffer boundary, creating an opportunity for arbitrary code execution.
Security Officer Comments:
The vulnerability was patched in FreeType 2.13.0 on February 9, 2023, yet older versions of the library remain embedded in many software projects. FreeType is deeply integrated into various systems, and outdated versions may persist for years, making it critical for developers and administrators to immediately upgrade to FreeType 2.13.3, the latest available version, to mitigate potential risks.
Suggested Corrections:
Facebook disclosed the flaw publicly, though it remains unclear whether the attacks observed by its security team occurred on its own platform or were identified elsewhere. Meta responded to inquiries by emphasizing its commitment to improving security in open-source software, stating that reporting such vulnerabilities strengthens online security for all users. Given the widespread reliance on FreeType, software vendors and project maintainers are urged to prioritize patching to prevent potential exploitation.
Link(s):
https://www.bleepingcomputer.com/ne...scloses-freetype-2-flaw-exploited-in-attacks/