A newly discovered vulnerability in the widely used FreeType font rendering library is being actively exploited, posing a major security threat to millions of devices across multiple platforms. The flaw, identified as CVE-2025-27363, has been assigned a high severity CVSS score of 8.1 and affects FreeType versions 2.13.0 and below.
CVE-2025-27363 – FreeType Vulnerability Details
According to Facebook security reports, this vulnerability is classified as an out-of-bounds write flaw, occurring during the parsing of font subglyph structures linked to TrueType GX and variable font files.
The issue stems from incorrect memory handling, where a signed short value is assigned to an unsigned long and combined with a static value. This leads to heap buffer misallocation, allowing attackers to write up to six signed long integers outside allocated memory bounds. Such memory corruption can result in arbitrary code execution, potentially giving threat actors full control over compromised systems.
Why This Vulnerability Is a Major Concern
FreeType is deeply integrated into the software ecosystem, making this security flaw particularly alarming. The library is embedded within several operating systems, including:
- GNU/Linux
- FreeBSD
- NetBSD
- ChromeOS
- ReactOS
Mobile platforms are also affected, with Android, Tizen, and iOS all at risk. Additionally, browser engines such as Chromium, WebKit, Gecko, and Goanna incorporate FreeType, exposing web users to potential attacks.
Many Linux distributions are vulnerable due to outdated FreeType versions, including:
- AlmaLinux
- Alpine Linux
- Amazon Linux 2
- Debian Stable
- RHEL/CentOS Stream 8 & 9
- GNU Guix
- Mageia, OpenMandriva, openSUSE Leap, Slackware, and Ubuntu 22.04
Risk Analysis of CVE-2025-27363
| Risk Factor | Details |
|---|---|
| Affected Products | FreeType versions 0.0.0 through 2.13.0 |
| Operating Systems | GNU/Linux, FreeBSD, NetBSD, ChromeOS, ReactOS |
| Mobile Platforms | Android, Tizen, iOS |
| Software & Browsers | Ghostscript, Chromium, WebKit, Gecko, Goanna |
| Impact | Arbitrary code execution, System compromise, Memory corruption |
| Exploit Prerequisites | Processing of malicious TrueType GX or variable font files; User interaction required; No authentication needed |
| CVSS 3.1 Score | 8.1 (High) |
Exploitation in the Wild
Meta security researchers report that CVE-2025-27363 is already being actively exploited. Although specific attack details remain scarce, the warning underscores that threat actors are leveraging this vulnerability to infiltrate systems.
This incident is reminiscent of CVE-2020-15999, a FreeType vulnerability in the Load_SBit_Png function that allowed attackers to target Google Chrome users. That flaw prompted an emergency patch in 2020.
Mitigation Measures
Security experts strongly recommend upgrading to FreeType version 2.13.3, which is not affected by this vulnerability.
For systems running outdated versions, immediate patching is critical. According to FreeType developer Werner Lemberg, the fix has been available for almost two years, and all versions beyond 2.13.0 are secure.
Recommended Security Actions
- Apply the FreeType 2.13.3 update as soon as possible.
- Prioritize updates for internet-facing systems and devices that process untrusted font files.
- Enhance network segmentation to limit exposure.
- Implement monitoring solutions to detect suspicious font file activities.
Given FreeType’s widespread use, organizations and individual users must take proactive steps to mitigate risks associated with CVE-2025-27363. Cybersecurity teams should ensure prompt updates and continuously monitor for potential exploits targeting this vulnerability.
For more cybersecurity news, click here.
