Security researchers and Meta have reported active exploitation of a high-severity vulnerability (CVE-2025-27363) affecting the FreeType font rendering library, commonly used across numerous applications, including Facebook.
The vulnerability arises from an out-of-bounds write error when parsing font subglyph structures, specifically related to TrueType GX and variable font files. Exploitation allows attackers to execute arbitrary code remotely by manipulating font rendering processes.
Technical Details
Severity: High (CVSS 8.1
The vulnerability occurs due to improper assignment of a signed short value to an unsigned long integer during heap buffer allocation. This results in a wraparound and leads to the allocation of a heap buffer smaller than required. Attackers exploiting this flaw can write up to six signed long integers out-of-bounds, enabling arbitrary code execution.
Affected Versions
- FreeType ≤ 2.13.0
- Patched version: 2.13.3
Impact
Due to FreeType’s widespread use in major operating systems (Linux, Android), game engines, GUI frameworks, web browsers, and platforms such as Facebook, successful exploitation of this vulnerability can lead to substantial security breaches, including unauthorized access, remote code execution, and full system compromise.
Prompt mitigation measures are essential to prevent severe operational disruptions and potential data breaches.
Recommendations
- Immediately update FreeType to version 2.13.0 or higher.
- Audit software projects and environments for legacy FreeType versions to ensure they are not inadvertently still in use.
