Security researchers have uncovered a dangerous vulnerability lurking in one of the internet’s most ubiquitous components. The flaw, dubbed CVE-2025-27363, affects FreeType versions 2.13.0 and below, scoring a concerning 8.1 on the CVSS severity scale. It’s not just some minor glitch. This is serious business.
A critical vulnerability hiding in plain sight, threatening millions of devices across the digital ecosystem.
The vulnerability involves an out-of-bounds write issue in font subglyph parsing, particularly when handling TrueType GX and variable font files. In plain English? Bad code assigns a signed short to an unsigned long, causing an integer wrap. This creates an undersized heap buffer while attempting to write up to six signed long integers outside its boundaries. Yikes.
The impact is staggering. Virtually every major operating system is affected – GNU/Linux, FreeBSD, Android, iOS, ChromeOS, you name it. Popular browser engines like Chromium, WebKit, and Gecko aren’t spared either. We’re talking millions of vulnerable devices. Let that sink in.
What’s worse? Attackers aren’t just sitting around admiring this vulnerability. It’s already being actively exploited in the wild, targeting Windows and Android systems. Security experts discovered it being used as part of sophisticated exploit chains. The vulnerability is linked to the TT_Get_MM_Var function in the truetype/ttgxvar.c component of FreeType 2. Sergei Glazunov of Google Project Zero deserves credit for catching this one.
The solution is straightforward but urgent: update to FreeType version 2.13.3 or later. Vendors like Ubuntu and Chromium have released patches. Just like with malware protection, individual awareness and vigilant updating are critical to preventing successful exploits. Install them. Restart your systems. Do it now.
This isn’t the first time FreeType has faced security challenges. Similar vulnerabilities have emerged before, highlighting persistent risks in font parsing libraries. Remember CVE-2020-15999? Same story, different day.
The widespread nature of this vulnerability underscores a troubling reality: our digital infrastructure often rests on widely-used open source components that, when compromised, create massive attack surfaces. The ubiquity of FreeType makes this particularly concerning. This vulnerability creates opportunities for attackers to execute arbitrary code execution through malicious font files embedded in documents or websites.
Patch now, ask questions later.
