Meta warns of actively exploited flaw in FreeType library

Meta warned that a vulnerability, tracked as CVE-2025-27363, impacting the FreeType library may have been exploited in the wild.

Meta warned that an out-of-bounds write flaw, tracked as CVE-2025-27363 (CVSS score of 8.1), in the FreeType library may have been actively exploited in attacks.

“An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files.” reads the advisory published by Meta. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution.”

The company did not disclose details on the attacks exploiting this vulnerability, attackers, or attack scale.

“This vulnerability may have been exploited in the wild.” continues the advisory.

The vulnerability doesn’t impact FreeType versions after 2.13.0.

The experts warn that multiple Linux distributions are using an outdated library version, making them vulnerable to attacks.

Some of the impacted Linux distros are:

• AlmaLinux
• Alpine Linux
• Amazon Linux 2
• Debian stable / Devuan
• RHEL / CentOS Stream / Alma Linux / etc. 8 and 9
• GNU Guix
• Mageia
• OpenMandriva
• openSUSE Leap
• Slackware, and
• Ubuntu 22.04

Due to active exploitation, users are recommended to update their installations to FreeType 2.13.3.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)