Zhuowei ZhangMar 29, 2025

All right, I give up: I can’t figure out how CVE-2025-27363, the FreeType variable font issue, could possibly be reached from a PDF.

Anybody have any ideas?

The Facebook advisory says “This vulnerability may have been exploited in the wild.”.

I had assumed this was the WhatsApp PDF zero-click that Citizen Lab found.

However, PDFs don’t support choosing font variations for embedded fonts. As far as I can tell, there’s no way a PDF can trigger that code.

Am I missing something obvious? Or - terrifyingly - maybe this isn’t related to that zero-click (which WhatsApp said they blocked serverside without a client patch), which would mean there was another, different, zero-day targeting a Meta platform…

CVE-2025-27363

Show threadNicolás AlvarezMar 29, 2025
@zhuowei how do they patch something like this server-side on an e2e encrypted platform?
Show threadSiguzaMar 29, 2025
@nicolas17 @zhuowei probably by lying? I've seen claims that WhatsApp generates and stores the keys on the server, and while I don't know whether that's true, it would explain this table: https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-encrypted-messaging-apps
FBI document shows what data can be obtained from encrypted messaging apps

A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.

Show threadhttp 
@siguza @nicolas17 @zhuowei That overview is from 2021 and WA introduced e2ee only in 2016. I takes some years for all clients to switch over.
Mar 29, 2025 at 11:50pmWeb
Show threadtech234aMar 30, 2025
@http @siguza @nicolas17 @zhuowei WhatsApp tends to be pretty aggressive about expiring old versions a few months after they’re released though said check appears to be at least partially client-side.