Facebook Warns of Zero-Day Exploit in FreeType Library
Meta’s Facebook security team has sounded the alarm over an actively exploited zero-day vulnerability in the widely used FreeType software development library.
In a brief advisory, Facebook revealed that the flaw affects FreeType versions 2.13.0 and earlier, potentially enabling arbitrary code execution.
“This vulnerability may have been exploited in the wild,” the company stated, though details of the attacks remain undisclosed. The vulnerability, identified as CVE-2025-27363, carries a CVSS severity score of 8.1 out of 10.
This isn’t the first time FreeType has been targeted. In 2020, Google rushed a major Chrome update to patch a FreeType zero-day exploited by a high-profile APT group.
Facebook’s Security Bulletin:
The flaw stems from an out-of-bounds write issue when parsing font subglyph structures in TrueType GX and variable font files. The bug occurs due to a signed-to-unsigned conversion error, causing incorrect memory allocation and potential buffer overflow, allowing attackers to write out-of-bounds data possibly leading to arbitrary code execution.
Affected Systems and Mitigation:
Older versions of FreeType, including those bundled with legacy Linux distributions, are at risk. While FreeType 2.13.3 has patched the vulnerability, many systems remain exposed.
Organizations are urged to update FreeType to version 2.13.3 or later and actively monitor their systems for any signs of suspicious activity.
