Security News > 2020 > October > Chrome Update Patches Actively Exploited FreeType Vulnerability
A Chrome 86 update released by Google on Tuesday patches several high-severity vulnerabilities, including a zero-day that has been exploited in the wild.
The actively exploited vulnerability is tracked as CVE-2020-15999 and it has been described as a heap buffer overflow bug affecting FreeType, a popular software library for rendering fonts.
In addition to Chrome and Chrome OS, FreeType is used in Linux and UNIX distributions, Android, iOS, ReactOS, and Ghostscript, which means the font engine is present on over a billion devices, according to its developers.
Glazunov, who shared details about the vulnerability on the FreeType bug tracked, noted that while the emergency fix appears to be working, a long-term patch will require a thorough code review.
Google Project Zero's Ben Hawkes noted on Twitter that while they have only spotted an exploit aimed at Chrome, other projects that use FreeType should also adopt the fix that was included in version 2.10.4.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-03 | CVE-2020-15999 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |