Meta has issued a warning about a security vulnerability affecting the FreeType open-source font rendering library, which may have been exploited in the wild.
The vulnerability, identified as CVE-2025-27363, has a CVSS score of 8.1, indicating a high level of severity. It is described as an out-of-bounds write flaw that can be exploited to achieve remote code execution when parsing specific font files.
According to the company’s advisory, “an out-of-bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files.” This occurs because the vulnerable code assigns a signed short value to an unsigned long and then adds a static value, causing it to wrap around and allocate too small of a heap buffer. As a result, the code writes up to 6 signed long integers out of bounds relative to this buffer, which may lead to arbitrary code execution.
The company has not provided details on how the vulnerability is being exploited, the parties responsible, or the scope of the attacks. However, it has acknowledged that the bug “may have been exploited in the wild.”
When contacted, FreeType developer Werner Lemberg stated that a fix for the vulnerability has been available for almost two years. “FreeType versions larger than 2.13.0 are no longer affected,” Lemberg said.
In a separate message posted on the Open Source Security mailing list oss-security, it has been revealed that several Linux distributions are running an outdated version of the library, making them susceptible to the flaw. These distributions include:
- AlmaLinux
- Alpine Linux
- Amazon Linux 2
- Debian stable / Devuan
- RHEL / CentOS Stream / Alma Linux / etc. 8 and 9
- GNU Guix
- Mageia
- OpenMandriva
- openSUSE Leap
- Slackware, and
- Ubuntu 22.04
To ensure optimal protection, users are advised to update their instances to the latest version of FreeType (2.13.3), especially given the active exploitation of the vulnerability.
