Meta warned that safety vulnerability affects FreeType The open source font library may have been used in the wild.
The vulnerability has been assigned to CVE ID Cve-2025-27363And it carries the CVSS 8.1, which indicates high severity. Described as disadvantages of record outside, it can be used to achieve the remote code when parsing some font files.
“Write down what goes out of the restriction, exists in the FreeType 2.13.0 versions and below when trying to deal with the structures of sublips associated with the Trenetype GX and the models of the font files, the company – Note In advisory.
“The vulnerable code assigns the signed short value to the unsigned long, and then adds the static value, resulting in the wrapped and highlighted the bull.
The company did not share any specifics on how the shortcomings behind it and the scale of the attacks. However, he admitted that a mistake “may have been used in the wild.”
Reaching out the comments, the FreeType Werner Lermberg developer told The Hacker News that vulnerability was enabled for almost two years. “FreeType versions are more than 2.13.0 no longer affected,” Lemberg said.
In A A separate message Posted on the OSS-Security Safety Safety List, it turned out that several Linux distributions are working an outdated version of the library, making them sensitive. This is included in –
- Almarux
- Alpine linux
- Amazon Linux 2
- Debian Stable / Devuan
- RHEL / CentOS Stream / Alma Linux / etc. 8 and 9
- Gnu plaster
- Mageia
- Open basket
- OpenSuse jump
- Slackware, and
- Ubuntu 22.04
In light of active operation, users are advised to update their instances to the latest Freeetype (2.13.3) for optimal protection.
