Full Report
Meta has warned that a security vulnerability impacting the FreeType open-source font rendering library may have been exploited in the wild. The vulnerability has been assigned the CVE identifier CVE-2025-27363, and carries a CVSS score of 8.1, indicating high severity. Described as an out-of-bounds write flaw, it could be exploited to achieve remote code execution when parsing certain font
Analysis Summary
# Vulnerability: FreeType Out-of-Bounds Write Leading to RCE (CVE-2025-27363)
## CVE Details
- CVE ID: CVE-2025-27363
- CVSS Score: 8.1 (High)
- CWE: (Not explicitly stated, but implied to be related to buffer errors/improper bounds checking)
## Affected Systems
- Products: FreeType open-source font rendering library
- Versions: 2.13.0 and below
- Configurations: When parsing specific font subglyph structures within TrueType GX and variable font files.
## Vulnerability Description
The vulnerability is an out-of-bounds write flaw. It occurs when processing certain font files (TrueType GX, variable fonts) because the code incorrectly handles signed short values assigned to an unsigned long, causing a buffer wrap-around. This leads to the allocation of a heap buffer that is too small. Consequently, the code writes up to 6 signed long integers out-of-bounds relative to this buffer, potentially resulting in arbitrary code execution.
## Exploitation
- Status: May have been exploited in the wild
- Complexity: (Implied to be Low/Medium given the context of general font parsing, but not explicitly rated)
- Attack Vector: Remote (via crafted font file delivery)
## Impact
- Confidentiality: High (Due to potential RCE)
- Integrity: High (Due to potential RCE)
- Availability: High (Due to potential RCE)
## Remediation
### Patches
- FreeType version 2.13.3 or higher is reported to contain the fix.
- Versions larger than 2.13.0 are no longer affected.
### Workarounds
- No specific workarounds detailed, other than upgrading. Users are strongly recommended to update their installations.
## Detection
- Detection methods rely on identifying vulnerable library versions being used.
- **Affected Distributions noted:** AlmaLinux, Alpine Linux, Amazon Linux 2, Debian stable/Devuan, RHEL/CentOS Stream 8 & 9, GNU Guix, Mageia, OpenMandriva, openSUSE Leap, Slackware, and Ubuntu 22.04 are noted as running outdated versions susceptible to the flaw.
## References
- Vendor advisory: FreeType (Implied via developer communication)
- Exploit details: FreeType Developer communication on oss-security mailing list: hxxps://lists.nongnu.org/archive/html/freetype-devel/2025-03/msg00000.html
- NVD Link: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-27363