Meta has issued a critical warning regarding a security vulnerability in the FreeType open-source font rendering library, indicating that it may have been actively exploited in the wild.
This vulnerability is cataloged under the CVE identifier CVE-2025-27363 and carries a high severity CVSS score of 8.1. It is characterized as an out-of-bounds write flaw, allowing for potential remote code execution when processing specific font files.
According to Meta’s advisory, “An out-of-bounds write exists in FreeType versions 2.13.0 and lower when parsing font subglyph structures associated with TrueType GX and variable font files.” The company provided additional details, explaining that the vulnerable implementation erroneously assigns a signed short value to an unsigned long, resulting in buffer overflow issues that could lead to arbitrary code execution.
Despite the gravity of the situation, Meta has not disclosed specific details about the ongoing exploit, including those responsible or the scale of attacks. Nevertheless, they caution that the vulnerability “may have been exploited in the wild.”
FreeType developer Werner Lemberg confirmed to The Hacker News that a fix has been available for nearly two years, asserting that any FreeType version above 2.13.0 is no longer susceptible to this flaw.
In a message shared on the Open Source Security mailing list, concerns were raised about various Linux distributions that continue to operate on outdated versions of the library, making them vulnerable. Distribution names mentioned include AlmaLinux, Alpine Linux, Amazon Linux 2, Debian, RHEL, and Ubuntu 22.04, among others.
Given the potential for active exploitation, it is strongly recommended for users to update to the latest FreeType version (2.13.3) to ensure protection against possible attacks.
