FreeType is a popular open source font rendering library used to rasterize and manipulate fonts. It provides functionality for loading, rasterizing, and rendering fonts in various formats, including TrueType (TTF), OpenType (OTF), and more. This library is used in millions of systems and services, including Linux, Android, game engines, GUI frameworks, and online platforms.
The vulnerability identified was assigned the identifier CVE-2025-27363 and received a CVSS score of 8.1. The issue was fixed in FreeType 2.13.0, released on February 9, 2023.
Researchers published information about the vulnerability this week, warning that the issue poses a risk to all versions of FreeType up to 2.13 and has already been used in attacks.
“An out-of-bounds write issue was discovered in FreeType versions prior to 2.13.0 when attempting to parse subglyph structures of fonts associated with TrueType GX and variable font files,” the bulletin says. “The vulnerable code assigns a signed short to an unsigned long and then adds a static value, causing an overflow and allocation of an undersized heap buffer. The code then writes up to 6 signed longs, exceeding the bounds of that buffer. This may lead to arbitrary code execution.”
Facebook likely uses FreeType in some form, but it is not known whether the attacks in question were discovered on the social network itself or were discovered elsewhere. The researchers do not provide any additional information about how the bug is being exploited.
Given the widespread adoption of FreeType across multiple platforms, developers and administrators are encouraged to update FreeType to the latest version 2.13.3 as soon as possible.