Security advisories

FreeType Remote Code Execution in Multiple Products (CVE-2020-15999)

October 22, 2020 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On October 20th, 2020, a remote code execution vulnerability (CVE-2020-15999) in the FreeType open-source font library was publicly disclosed [1]. The FreeType library is widely used in a variety of applications, including Google Chrome [2] and Microsoft Edge [3] browsers. If exploited, CVE-2020-15999 allows for Remote Code Execution (RCE) or Denial of Service (DoS) on vulnerable machines. Attacks in the wild have been reported against vulnerable Google Chrome browsers.

Organizations are strongly advised to apply relevant security patches imminently.

What we’re doing about it

What you should do about it

Additional information

In an attack scenario, threat actors would need to convince a victim to interact with a specially crafted font file. Reports of threat actors exploiting CVE-2020-1599 against vulnerable versions of Chrome have been identified. It is not clear if other vulnerable applications have been targeted at this time. Confirmed vulnerable web-browsers should be prioritized for patching as they have a higher likelihood of being exposed to untrusted code.

CVE-2020-15999 is classified as a Heap-based Buffer Overflow vulnerability in the open-source FreeType library. The FreeType library is incorporated into a wide variety of software, meaning multiple programs and operating systems other than Chrome are likely affected. Additional vendor updates are expected in the near future.

Confirmed Vulnerable:

References:

[1] https://www.cybersecurity-help.cz/vdb/SB2020102038

[2] https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html

[3] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002

[4] https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/

View Most Recent Advisories