Skip to content

Facebook warns of actively exploited FreeType vulnerability

  • by
  • 2 min read

Facebook has warned regarding a critical vulnerability in FreeType, a widely used open-source font rendering library. The flaw, which is tracked as CVE-2025-27363 and has a CVSS v3 severity score of 8.1 (high), allows for arbitrary code execution and has reportedly been exploited in attacks.

FreeType is an essential component in numerous systems, enabling text rendering in different formats such as TrueType (TTF) and OpenType (OTF). The library is integrated into millions of devices and platforms, including Linux distributions, Android systems, game engines, graphical user interface (GUI) frameworks, and various online services, reports BleepingComputer.

According to Facebook’s security advisory, the issue stems from an out-of-bounds write error when processing TrueType GX and variable font files. Specifically, the vulnerability occurs due to an incorrect assignment of a signed short value to an unsigned long, followed by an addition that causes buffer misallocation.

Consequently, up to six signed long integers can be written beyond the allocated memory, leading to potential arbitrary code execution.

A computer screen displaying the word 'security'.

“An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer,” the advisory notes. “The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.”

Facebook has not disclosed specific details regarding how the vulnerability is exploited or whether attacks have directly impacted its platform. However, the risk is substantial given the library’s broad usage across multiple industries.

The security bulletin urges developers and administrators to upgrade to FreeType 2.13.3 immediately to mitigate potential threats.

Despite the availability of a patched version, older versions of FreeType can linger in software projects for years. This persistence increases the likelihood of exploitation, particularly in environments where security updates are infrequent.

In the News: Indian authorities arrest Garantex co-founder Aleksej Besciokov

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of phishing featured storyblocks

Cybercrime group rolls out major updates for on sale phishing tool

This is an image of scam call featured 1

China jails 9 for scamming over 66,000 Indians

What is a hack? 9 different types of hackers you must know about

SpyNote malware targets users through fake android apps

This is an image of meta fb oculus workspace whatsapp messenger instagram

Ex-employee reveals Meta offered US user data to enter China

This is an image of wordpress featured 9924

WordPress plugin with over 100,000 installations under active exploitation

This is an image of microsoft featured 13211

Microsoft 365 Family users denied service due to licensing glitch

  • by
  • In News
>