Meta has issued a warning about a security vulnerability affecting the FreeType open-source
Meta has issued a warning about a security vulnerability affecting the FreeType open-source font rendering library, which may have been exploited in the wild.
Identified as CVE-2025-27363, the flaw has been assigned a CVSS score of 8.1, classifying it as high severity. It is an out-of-bounds write vulnerability that could enable remote code execution when processing specific font files.
According to Meta's advisory, the issue affects FreeType versions 2.13.0 and earlier, occurring when parsing font subgraph structures related to TrueType GX and variable fonts. The flaw results from assigning a signed short value to an unsigned long, followed by an addition that causes a buffer allocation error. Consequently, the system writes up to six signed long integers out of bounds, potentially leading to arbitrary code execution.
While Meta has not disclosed details on how the vulnerability is being exploited, the attackers involved, or the extent of the attacks, it confirmed that the flaw may have been exploited in the extensively .
FreeType developer Werner Lemberg informed The Hacker News that the vulnerability has already been patched for nearly two years, stating that versions later than 2.13.0 are no longer affected.
However, a post on the Open Source Security mailing list (oss-security) revealed that several Linux distributions are still using outdated versions, making them vulnerable. Affected distributions include:
- AlmaLinux
- Alpine Linux
- Amazon Linux 2
- Debian stable / Devuan
- RHEL / CentOS Stream / AlmaLinux 8 and 9
- GNU Guix
- Mageia
- OpenMandriva
- openSUSE Leap
- Slackware
- Ubuntu 22.04
Given reports of active exploitation, users are strongly advised to update to FreeType version 2.13.3 to ensure optimal protection.
