Meta’s Facebook security team has raised an alarm after spotting live exploitation of a zero-day vulnerability in the widely used FreeType software development library.
In a barebones advisory, Facebook warned that the security defect was found in FreeType versions 2.13.0 and below and provides a pathway for arbitrary code execution attacks.
“This vulnerability may have been exploited in the wild,” Facebook said, without providing any details on the reported attacks. The bug has been tagged as CVE-2025-27363 and carries a CVSS severity score of 8.1 out of 10.
The full Facebook bulletin:
“An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files.
The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution.”
Affected systems include those running older versions of FreeType, such as versions bundled with some older Linux distributions. Although the latest version, FreeType 2.13.3, is not vulnerable, many current systems remain at risk.
Organizations are advised to update FreeType to version 2.13.3 or later and monitor systems for signs of suspicious activity.
This is not the first time the open-source rendering engine has been targeted for malicious malware attacks. Back in 2020, Google pushed a major Chrome browser update to cover a FreeType zero-day being exploited in the wild and flagged FreeType zero-days among those used by a high-profile APT group.
Related: Google Chrome Patches Actively Exploited FreeType Vulnerability
Related: Sophisticated APT Group Burned 11 Zero-Days in Spying Operation
Related: Chinese Researchers Earn $20,000 for Chrome Sandbox Escape
Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware
