Meta warns that security vulnerabilities affecting free-type open-source font rendering libraries may have been exploited in the wild.
The vulnerability is assigned to the CVE identifier CVE-2025-27363, with a CVSS score of 8.1, indicating a high severity. It is described as an unbound writing flaw, which can be exploited to achieve remote code execution when parsing a specific font file.
“When trying to parse the font subgallif structures associated with TrueType GX and variable font files, out-of-range writes exist under Freetype version 2.13.0,” the company said in its advisory.
“The vulnerable code assigns a signed short value to an unsigned long, then adds a static value to wrap and allocates the heap buffer too small. The code writes up to six signed long integers compared to this buffer.
The company did not share details on how the flaws were exploited, the people behind them, or the scale of the attack. However, the bug has admitted that it may have been “exploited in the wild.”
Freetype developer Werner Lemberg told Hacker News that the vulnerability fix has been incorporating for almost two years. “Free-type versions above 2.13.0 will no longer be affected,” Lenberg said.
Another message posted to the open source security mailing list OSS Security revealed that some Linux distributions are running outdated versions of the library, making them susceptible to flaws. This is –
Almalinux Alpine Linux Amazon Linux 2 Debian Stable / Devuan Rhel / Centos Stream / Alma Linux / etc.
In light of aggressive exploitation, users are advised to update their instances to the latest version of Freetype (2.13.3) for optimal protection.
Source link
