Meta has identified a high-severity security flaw in the FreeType open-source font rendering library that may have been actively exploited by threat actors, The Hacker News reports.
The vulnerability, tracked as CVE-2025-27363, carries a CVSS score of 8.1 and is classified as an out-of-bounds write vulnerability.
Attackers could exploit this flaw to achieve remote code execution by manipulating certain font files, particularly those related to TrueType GX and variable fonts.
The flaw, which is present in FreeType versions 2.13.0 and earlier, results from improper memory allocation and could allow malicious actors to execute arbitrary code.
While Meta has not disclosed details about the scope or origin of the exploitation, it has called on users to update their instances to FreeType 2.13.3 as soon as possible to mitigate the risk of exploitation.
FreeType developer Werner Lemberg stated that a patch has been available for nearly two years, but many Linux distributions remain vulnerable. Affected systems include Ubuntu 22.04, Debian, Amazon Linux 2, Alpine Linux, RHEL, and CentOS.
