Full Report
Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. [...]
Analysis Summary
# Vulnerability: FreeType 2 Out-of-Bounds Write Leading to Potential Code Execution
## CVE Details
- CVE ID: CVE-2025-27363
- CVSS Score: 8.1 (High)
- CWE: N/A (Implied: Buffer Over-write/Write)
## Affected Systems
- Products: FreeType 2 Library (used for font rendering)
- Versions: All versions up to and including 2.13.0.
- Configurations: Specific vulnerability triggered when parsing font subglyph structures related to TrueType GX and variable font files.
## Vulnerability Description
The vulnerability is an out-of-bounds write flaw occurring when FreeType attempts to parse TrueType GX and variable font subglyph structures. The root cause involves incorrectly assigning a signed short value to an unsigned long, causing a wrap-around effect. This leads to the allocation of a heap buffer that is too small. Subsequently, the parser writes up to six signed long integers out of bounds relative to this allocated buffer, which may result in arbitrary code execution.
## Exploitation
- Status: Exploited in the wild (Reports of active exploitation exist)
- Complexity: Likely Medium (Requires crafting a malicious font file for processing)
- Attack Vector: Network (If the font processing occurs remotely or via downloaded files)
## Impact
- Confidentiality: High (Due to potential arbitrary code execution)
- Integrity: High (Due to potential arbitrary code execution)
- Availability: High (Due to potential denial of service or system compromise)
## Remediation
### Patches
- FreeType version 2.13.0 was fixed on February 9th, 2023.
- **Recommended Upgrade:** Developers are urged to upgrade to FreeType **version 2.13.3** (the latest version as of the disclosure) or newer.
### Workarounds
- No specific workarounds were detailed in the provided context, but generally, avoiding processing untrusted TrueType GX or variable font files is advisable until upgrading.
## Detection
- Detection strategies are not explicitly detailed, but monitoring for suspicious heap manipulation or crashes during font file parsing in applications utilizing older FreeType versions would be relevant.
## References
- Vendor advisory (Facebook/Meta disclosure via BleepingComputer): [bleepingcomputer.com/news/security/facebook-discloses-freetype-2-flaw-exploited-in-attacks/]([defanged])
- NIST NVD Link (As referenced by CVE): [nvd.nist.gov/vuln/detail/CVE-2025-27363]([defanged])