By Nermeen Nabil Khear 
- Facebook warned about a flaw in FreeType which could be used in remote code execution
- The flaw “may have been exploited in the wild,” the company said
- A patch was recently released to address the vulnerability
Facebook is warning about an out of bounds write vulnerability in FreeType, which could allow threat actors to remotely execute arbitrary code (RCE). In a security advisory published by the company, it said that the vulnerability “may have been exploited in the wild.”
FreeType is an open-source software library that renders fonts. It supports various formats like TrueType, OpenType, and Type1, and is widely used in graphics applications, game engines, and operating systems to display high-quality text.
Major projects like Android, Linux, Unreal Engine, and ChromeOS rely on it for font rendering.
Patching the bug
The vulnerability is tracked as CVE-2025-27363, and was given a severity score of 8.1 (high). It affects the library’s versions 2.13.0 and older.
It can be triggered “when attempting to parse font subglyph structures related to TrueType GX and variable font files,” Facebook explained in the advisory. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer.”
While Facebook was the one warning about the vulnerability, it is unclear if it is relying on the library and in what capacity. Also, it said the vulnerability “may have been exploited in the wild,” but did not elaborate if it saw the attacks on its own platform, or elsewhere.
To tackle the problem, software developers should upgrade their FreeType to the latest version (2.13.3) as soon as possible. The first clean version is 2.13.1, although the FreeType website mentions nothing about a security upgrade.
“This is a maintenance release with only minor changes,” it was said on the updates page.
Via BleepingComputer
You might also like
- Meta purportedly trained its AI on more than 80TB of pirated content and then open-sourced Llama for the greater good
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.