Fb is caution {that a} FreeType vulnerability in all variations as much as 2.13 may end up in arbitrary code execution, with stories that the flaw has been exploited in assaults.
FreeType is a well-liked open-source font rendering library used to show textual content and programmatically upload textual content to pictures. It supplies capability to load, rasterize, and render fonts in more than a few codecs, equivalent to TrueType (TTF), OpenType (OTF), and others.
The library is put in in thousands and thousands of techniques and products and services, together with Linux, Android, recreation engines, GUI frameworks, and on-line platforms.
The vulnerability, tracked below CVE-2025-27363 and given a CVSS v3 severity rating of 8.1 (“prime”), used to be fastened in FreeType model 2.13.0 on February ninth, 2023.
Fb disclosed the flaw the day past, caution that the vulnerability is exploitable in all variations of FreeType as much as model 2.13 and that there are stories of it actively being exploited in assaults.
“An out of bounds write exists in FreeType variations 2.13.0 and under when making an attempt to parse font subglyph buildings associated with TrueType GX and variable font information,” reads the bulletin.
“The susceptible code assigns a signed quick worth to an unsigned lengthy after which provides a static worth inflicting it to wrap round and allocate too small of a heap buffer.”
“The code then writes as much as 6 signed lengthy integers out of bounds relative to this buffer. This will lead to arbitrary code execution.”
Fb might depend on FreeType in some capability, however it’s unclear if the assaults noticed via its safety workforce came about on its platform or in the event that they came upon them in other places.
Making an allowance for the common use of FreeType throughout a couple of platforms, tool builders and undertaking directors will have to improve to FreeType 2.13.3 (newest model) once imaginable.
Even if the most recent susceptible model (2.13.0) dates two years, older library variations can persist in tool tasks for prolonged sessions, making it necessary to handle the flaw once imaginable.
BleepingComputer requested Meta concerning the flaw and the way it used to be exploited, and used to be despatched the next commentary.
“We record safety insects in open supply tool once we in finding them as it strengthens on-line safety for everybody,” Fb instructed BleepingComputer.
“We predict customers be expecting us to stay running on techniques to make stronger safety. We stay vigilant and dedicated to protective other people’s personal communications.”
In keeping with an research of 14M malicious movements, uncover the highest 10 MITRE ATT&CK ways in the back of 93% of assaults and find out how to shield in opposition to them.