Meta Issues Warning on FreeType Vulnerability (CVE-2025-27363) Amid Active Exploitation Concerns
This vulnerability, identified as CVE-2025-27363, has been assigned a CVSS score of 8.1, classifying it as a high-severity issue. It is categorized as an out-of-bounds write flaw, which could potentially be exploited to execute remote code when processing specific font files.
Meta’s advisory highlighted that FreeType versions 2.13.0 and earlier contain an out-of-bounds write vulnerability when processing font subglyph structures associated with TrueType GX and variable font files.
The issue arises from incorrect memory allocation within the vulnerable code. It assigns a signed short value to an unsigned long, then adds a static value that causes an allocation miscalculation, resulting in a heap buffer that is too small. Consequently, up to six signed long integers may be written beyond the allocated buffer, potentially allowing arbitrary code execution.
Unclear Exploitation Details
Meta has not provided details regarding the nature of exploitation, attackers involved, or the extent of the attacks. However, it has acknowledged that the flaw may have been actively exploited in real-world scenarios.
Developer Response and Impacted Linux Versions
Werner Lemberg, a FreeType developer, confirmed in a statement to The Ash Hacker News that a fix has been available for nearly two years. He clarified that FreeType versions newer than 2.13.0 are no longer affected.
Additionally, a report from the Open Source Security (oss-security) mailing list has revealed that several Linux distributions are still operating on outdated versions of FreeType, leaving them vulnerable. The affected distributions include:
AlmaLinux
Alpine Linux
Amazon Linux 2
Debian stable / Devuan
RHEL / CentOS Stream / Alma Linux (versions 8 and 9)
GNU Guix
Mageia
OpenMandriva
openSUSE Leap
Slackware
Ubuntu 22.04
Recommended Action for Users
With reports of possible active exploitation, users are strongly advised to upgrade FreeType to version 2.13.3 as soon as possible to mitigate security risks and protect their systems from potential attacks.
