Home > Security > Security News

Facebook Says ‘FreeType’ Arbitrary Code Execution Vulnerability May Have Been Exploited in the Wild

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
facebook

Meta recently warned of active exploitation risk regarding the critical flaw tracked as CVE-2025-27363 that affects Facebook’s FreeType open-source font rendering library. This out-of-bounds write issue could allow attackers to execute code remotely by exploiting certain font files.

The advisory details how the vulnerability, assigned a CVSS score of 8.1, occurs in FreeType versions 2.13.0 and below. While Meta has declined to provide specifics on the nature or scale of the exploitation, they acknowledged that the vulnerability "may have been exploited in the wild."

The flaw arises when parsing font ‘subglyph’ structures related to TrueType GX and variable font files.

Metta warns of CVE-2025-27363 (screenshot).
Metta warns of CVE-2025-27363 (screenshot) | Source: Facebook

Specifically, the vulnerability results when a signed short value is assigned to an unsigned long and a static value is added, causing a buffer overflow. The system writes up to six signed long out of bounds integers, potentially leading to arbitrary code execution.

Despite the mitigations in recent updates, this issue remains widespread due to several major Linux distributions still utilizing outdated versions of FreeType. The vulnerability has already been patched in FreeType versions beyond 2.13.0 almost two years ago, with the current stable release being 2.13.3 

Given FreeType's critical role in rendering fonts across platforms, administrators and users are strongly urged to update to the latest FreeType version to mitigate the risk of exploitation. 

For Linux distributions that do not yet offer updates, additional vigilance and proactive measures are recommended until patches are made available.

Meta is currently in the middle of a lawsuit that accuses Facebook’s parent company of training its artificial intelligence (AI) models via torrented content, with over 81TB of data downloaded via Anna’s Archive.


Add a Comment
Related
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
Man holding an envelope targeted by a fishing hook, depicting phishing attack
Blind Eagle Launches New Cyber Campaigns Against Colombia’s Govt and Financial Institutions
New Cybersecurity Threat Targets Japanese Organizations Via Actively Exploited RCE Flaw
Novel ‘EvilLoader’ Telegram  Vulnerability Cloaking APKs as Video Files Threatens Android Users
CISA Adds Cisco, Hitachi, Microsoft Exploited Vulnerabilities to Catalog, Urges Remediation
Spyzie Stalkerware Vulnerability Exposes Sensitive Data of Thousands of Users
Most Popular
Adolescence
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices
Garantex Administrator Aleksej Besciokov Arrested by Authorities in India Following US Directive
Novocaine
Everything we know About Novocaine (2025) film: Jack Quaid Stars in Action-Packed Thriller
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices
Garantex Administrator Aleksej Besciokov Arrested by Authorities in India Following US Directive
Everything we know About Novocaine (2025) film: Jack Quaid Stars in Action-Packed Thriller

Most Popular
Adolescence
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices
Garantex Administrator Aleksej Besciokov Arrested by Authorities in India Following US Directive
Novocaine
Everything we know About Novocaine (2025) film: Jack Quaid Stars in Action-Packed Thriller
Adolescence Ending Explained: Jamie’s Motivations to kill Katie, Eddie’s Guilt, and Online Radicalization
Invincible Season 3 Episode 8 Ending Explained: Conquest's fate, Atom Eve’s Power & Season 4 Setups
‘Head Mare’ and ‘Twelve’ Hacktivists Allegedly Collaborate in Targeted Russian Attacks
North Korean Spyware ‘KoSpy’ Attributed to APT37 Targets Android Devices
Garantex Administrator Aleksej Besciokov Arrested by Authorities in India Following US Directive
Everything we know About Novocaine (2025) film: Jack Quaid Stars in Action-Packed Thriller

© 2025 TechNadu, a part of Leaprove Media LLP. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: