Meta warns of worrying security flaw hitting open source type software

Facebook warned about a flaw in FreeType which could be used in remote code execution
The flaw “may have been exploited in the wild,” the company said
A patch was recently released to address the vulnerability

Facebook is warning about an out of bounds write vulnerability in FreeType, which could allow threat actors to remotely execute arbitrary code (RCE). In a security advisory published by the company, it said that the vulnerability “may have been exploited in the wild.”

FreeType is an open-source software library that renders fonts. It supports various formats like TrueType, OpenType, and Type1, and is widely used in graphics applications, game engines, and operating systems to display high-quality text.

Major projects like Android, Linux, Unreal Engine, and ChromeOS rely on it for font rendering.

Patching the bug

The vulnerability is tracked as CVE-2025-27363, and was given a severity score of 8.1 (high). It affects the library’s versions 2.13.0 and older.

It can be triggered “when attempting to parse font subglyph structures related to TrueType GX and variable font files,” Facebook explained in the advisory. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer.”

While Facebook was the one warning about the vulnerability, it is unclear if it is relying on the library and in what capacity. Also, it said the vulnerability “may have been exploited in the wild,” but did not elaborate if it saw the attacks on its own platform, or elsewhere.

To tackle the problem, software developers should upgrade their FreeType to the latest version (2.13.3) as soon as possible. The first clean version is 2.13.1, although the FreeType website mentions nothing about a security upgrade.

“This is a maintenance release with only minor changes,” it was said on the updates page.

Via BleepingComputer

https://cdn.mos.cms.futurecdn.net/TWkP7ZurZMY6uepDxsK6Ha-1200-80.jpg

Source link

Why are running shoes different for men vs women? I tested the specialist QLVR shoe to find out

Amstel Gold Race 2026 live streams: How to watch cycling online for FREE

Amstel Gold Race 2026 live streams: How to watch cycling online for FREE

InnoCN GA27S1Q 27-inch QD-OLED monitor review

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Joseph Duggar, Kendra Duggar’s Marriage Before His Child Molestation Charge

April 21 Is An Unmissable Day For Xbox Game Pass Members

7 Movies That Are Pure Rage-Bait, Ranked

Wrestlemania 42: All of the Match Winners, Returns, and Surprises — Updating Live!

Business News Live, Share Market News – Read Latest Finance News, IPO, Mutual Funds News

Don’t trust the hype: Why earnings quality matters more than broker calls in today’s volatile market

Business News Live, Share Market News – Read Latest Finance News, IPO, Mutual Funds News

Market Trading Guide: Buy Shipping Corporation and Power Grid on Monday for short-term gains of up to 29%

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Meta warns of worrying security flaw hitting open source type software

Joseph Duggar, Kendra Duggar’s Marriage Before His Child Molestation Charge

Business News Live, Share Market News – Read Latest Finance News, IPO, Mutual Funds News

April 21 Is An Unmissable Day For Xbox Game Pass Members

Don’t trust the hype: Why earnings quality matters more than broker calls in today’s volatile market