- Facebook warned against a Freetype defect that could be used in the execution of the remote code
- The fault “may have been exploited in the wild,” said the company
- A patch has recently been published to approach vulnerability
Facebook warns against an out -of -limited writing vulnerability in Freetype, which could allow threat actors to carry out the arbitrary code (RCE) at a distance. In a security notice published by the company, he said that vulnerability “could have been exploited in the wild”.
Freetype is an open source software library that makes the fonts. It supports various formats such as Truetype, OpenSype and Type1, and is widely used in graphic applications, game engines and operating systems to display high quality text.
Major projects such as Android, Linux, Unreal Engine and Chromeos rely on it for the font rendering.
Patcher the bug
Vulnerability is followed as CVE-2025-27363 and received a gravity score of 8.1 (high). It affects the versions of the library 2.13.0 and more.
It can be triggered “during the tent to analyze the structures of police subglyphs linked to the Truetype GX and variable police files,” said Facebook in the opinion. “The vulnerable code attributes a short value signed to a long unclear, then adds a static value, which makes it wrap and allocated too small with a buffer of heaps. The code then writes up to 6 integers signed outside the limits compared to this stamp. »»
Although Facebook was the only warning of vulnerability, it is not clear if it is based on the library and in what way. In addition, he said that vulnerability “had perhaps been exploited in nature”, but did not develop if it saw the attacks against its own platform, or elsewhere.
To solve the problem, software developers must upgrade their freetype to the latest version (2.13.3) as soon as possible. The first clean version is 2.13.1, although the Freetype website mentions nothing about upgrading of security.
“This is a maintenance press release with only minor modifications,” it said on the update page.
Via Bleeping Compompute
