Google Chrome FreeType Heap Buffer Overflow Vulnerability
What it is
Google Chrome uses FreeType, an open-source software library to render fonts, which contains a heap buffer overflow vulnerability in the function Load_SBit_Png when processing PNG images embedded into fonts. This vulnerability is part of an exploit chain with CVE-2020-17087 on Windows and CVE-2020-16010 on Android.
Who's affected
Affects anyone using Chrome or Chromium as their browser. The browser is where staff log into cloud apps, banking, and client portals — exploitation can mean session theft or credential exposure for every site you're signed into.
What to do
Apply updates per vendor instructions.
CISA action deadline: November 17, 2021. Federal agencies must complete the required action by this date. For private SMBs the deadline is advisory — but treat it as a strong recommendation, especially if you handle regulated data (HIPAA, GLBA, ABA model rules).
If you don't have someone in-house to verify the patch deployed across every endpoint — or you're not sure whether you're affected — that's exactly the kind of triage we do. Book a free 20-minute triage call.
Severity
CVSS base score: 9.6 — CRITICAL
Weakness classifications: CWE-787, CWE-120
Source
Pulled daily from the public cisagov/kev-data mirror (CC0). View the original entry on cisa.gov. CISA KEV is US-Government public-domain data; we add the SMB-vertical framing and the coping action above.