Fb is warning {that a} FreeType vulnerability in all variations as much as 2.13 can result in arbitrary code execution, with stories that the flaw has been exploited in assaults.
FreeType is a well-liked open-source font rendering library used to show textual content and programmatically add textual content to photographs. It gives performance to load, rasterize, and render fonts in numerous codecs, comparable to TrueType (TTF), OpenType (OTF), and others.
The library is put in in tens of millions of programs and providers, together with Linux, Android, recreation engines, GUI frameworks, and on-line platforms.
The vulnerability, tracked beneath CVE-2025-27363 and given a CVSS v3 severity rating of 8.1 (“excessive”), was mounted in FreeType model 2.13.0 on February ninth, 2023.
Fb disclosed the flaw yesterday, warning that the vulnerability is exploitable in all variations of FreeType as much as model 2.13 and that there are stories of it actively being exploited in assaults.
“An out of bounds write exists in FreeType variations 2.13.0 and under when making an attempt to parse font subglyph constructions associated to TrueType GX and variable font recordsdata,” reads the bulletin.
“The weak code assigns a signed brief worth to an unsigned lengthy after which provides a static worth inflicting it to wrap round and allocate too small of a heap buffer.”
“The code then writes as much as 6 signed lengthy integers out of bounds relative to this buffer. This may increasingly lead to arbitrary code execution.”
Fb might depend on FreeType in some capability, however it’s unclear if the assaults seen by its safety group came about on its platform or if they found them elsewhere.
Contemplating the widespread use of FreeType throughout a number of platforms, software program builders and venture directors should improve to FreeType 2.13.3 (newest model) as quickly as potential.
Though the most recent weak model (2.13.0) dates two years, older library variations can persist in software program initiativesĀ for prolonged intervals, making it essential to handle the flaw as quickly as potential.
BleepingComputer requested Meta in regards to the flaw and the way it was exploited, and was despatched the next assertion.
“We report safety bugs in open supply software program once we discover them as a result of it strengthens on-line safety for everybody,” Fb informed BleepingComputer.
“We expect customers count on us to maintain engaged on methods to enhance safety. We stay vigilant and dedicated to defending folks’s non-public communications.”
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and easy methods to defend in opposition to them.
