- Facebook warned about a defect in the type of detection that could be used in the execution of remote code
- The fault “may have been exploited in nature,” said the company
- Recently a patch was launched to address vulnerability.
Facebook warns about a writing vulnerability outside the limits in FreeType, which could allow actors to threat to execute the arbitrary code (RCE) remotely. In a security notice published by the company, he said that vulnerability “may have been exploited in nature.”
FREETYPE is an open source software library that makes sources. It admits several formats such as Truetype, Opentype and Type1, and is widely used in graphic applications, game engines and operating systems to show high quality text.
The main projects such as Android, Linux, Unreal Engine and Chromeos trust him for the representation of Fuentes.
Patch the error
Vulnerability is tracked as CVE-2025-27363, and was given a gravity score of 8.1 (high). It affects the versions of the Library 2.13.0 or more.
It can be activated “when trying to analyze the structures of the source subglifos related to Truetype GX and the archives of variable sources,” Facebook explained on the warning. “The vulnerable code assigns a short value signed with a length without signing and then adds a static value that makes it involve and assign a lot of too small pile. Then, the code writes up to 6 long integers signed outside the limits in relation to this buffer. “
While Facebook was the warning about vulnerability, it is not clear if it depends on the library and in what capacity. In addition, he said that vulnerability “may have been exploited in nature”, but did not elaborate if he saw the attacks on his own platform, or elsewhere.
To address the problem, software developers must update their FREETYE type to the latest version (2.13.3) as soon as possible. The first clean version is 2.13.1, although FreeType’s website does not mention anything about a security update.
“This is a maintenance version with only minor changes,” said on the update page.
Through Bleepingcomputer
