The Announcement
On Monday Meta announced a flaw in FreeType versions 2.13.0 and below that can allow remote code execution.
From the announcement:
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
More information about this vulnerability can be found at these links:
- https://nvd.nist.gov/vuln/detail/CVE-2025-27363
- https://www.facebook.com/security/advisories/cve-2025-27363
- https://access.redhat.com/security/cve/cve-2025-27363
- https://seclists.org/oss-sec/2025/q1/207
- https://thehackernews.com/2025/03/meta-warns-of-freetype-vulnerability.html
Impact and Mitigation:
The vulnerability is devious and highly-enough rated that we are pulling in the patches for testing ahead of our upstream. These patches have been tested, but require further testing before we will release them to production. To help us out, please install the testing repo and then the updated packages and please share the results as soon as you can, either in AlmaLinux chat, on bugs.almalinux.org, or by emailing packager@almalinux.org.
Installing the testing repo on AlmaLinux
It only takes a few steps to install and test the patched version of OpenSSH in the testing repo.
Install the testing repo
dnf install -y almalinux-release-testing
Then update the package:
dnf update freetype
Confirm you have the patched version of the package
The patched RPM versions are listed further down in this article.
rpm -qa freetype
Note: We don’t recommend that you keep the testing repo enabled after you’ve updated the package, unless you’ve done this on a truly non-production environment. If this is a production environment, you can disable the repo with this command:
dnf config-manager --disable almalinux-testing
If you encounter problems, please let us know as soon as you can, either in AlmaLinux chat, on bugs.almalinux.org, or by emailing packager@almalinux.org.
AlmaLinux OS 8 & AlmaLinux OS 9
Both AlmaLinux 8 and AlmaLinux 9 are vulnerable to this CVE. Patches are not yet available from Red Hat, so the patch we are pulling in was written by Marc Deslauriers of Canonical and shared on the Openwall oss-security mailing list. It was adjusted and vetted by a member of the Meta security team.
We’d also like to thank Michel Lind of Meta for the initial backporting work in his PR to CentOS Stream 9 as well as for bringing this vulnerability to our attention.
Vulnerability Status and Patched packages
- AlmaLinux 8 is patched in
freetype-2.9.1-9.el8.alma.1and above - AlmaLinux 9 is patched in
freetype-2.10.4-9.el9.alma.2and above
AlmaLinux OS Kitten 10
AlmaLinux OS Kitten is not vulnerable to this CVE.
More information and updates
We will update this blog post as future updates are available. Please also sign up for the AlmaLinux Announce mailing list to make sure you don’t miss any updates. If you have any questions or concerns, feel free to reach out in our community chat!
