Israeli spyware firm Paragon Solutions was revealed by Meta-owned WhatsApp to have exploited an out-of-bounds flaw in the FreeType open-source library, tracked as CVE-2025-27363, months after Meta disclosed the issue to have been actively abused for arbitrary code execution, SecurityWeek reports.
Such a vulnerability, which was identified in FreeType 2.13.0 and earlier, could be triggered by TrueTypeGX and variable font file-related font subglyph structure parsing, according to an advisory from Meta. "The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer," Meta added. The development comes as Paragon's Graphite spyware was observed by Citizen Lab researchers to have compromised iPhones running up-to-date software. Apple has since addressed the vulnerability. Canada, Australia, Israel, Denmark, Cyprus, Singapore, and Italy were also noted by Citizen Lab to have used Graphite spyware.
Such a vulnerability, which was identified in FreeType 2.13.0 and earlier, could be triggered by TrueTypeGX and variable font file-related font subglyph structure parsing, according to an advisory from Meta. "The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer," Meta added. The development comes as Paragon's Graphite spyware was observed by Citizen Lab researchers to have compromised iPhones running up-to-date software. Apple has since addressed the vulnerability. Canada, Australia, Israel, Denmark, Cyprus, Singapore, and Italy were also noted by Citizen Lab to have used Graphite spyware.
