Android's Fresh Update from Google Addresses 46 Security Vulnerabilities
Revised Android Security Bulletin: A New Patch to Secure Your Device
Google's most recent Android Security Update tackles 46 vulnerabilities posing threats to Android devices, one of which is a zero-day flaw in FreeType. This bug, known as CVE-2025-27363, is currently under "limited, targeted exploitation."
May's security update boasts a variety of fixes, including elevation of privilege flaws, information disclosure, denial of service vulnerabilities, and one remote code execution bug. All of these issues are considered high severity. The update also addresses issues related to Qualcomm, MediaTek, Arm, and Imagination Technologies components.
One active exploit in the wild
The zero-day addressed in this update is a remote code execution flaw impacting FreeType, an open-source font rendering library. Attackers can exploit this bug by manipulating the way the program processes certain files. CVE-2025-27363 affects FreeType versions 2.13.0 and below and was initially reported by security researchers at Facebook in March 2025. Although details of its exploitation have not been disclosed, it has been actively used in targeted attacks.
Staying Secure on Your Android Device
If you own an Android device, keep an eye out for the latest security update notifications. Google provides patches to Pixel phones and the core Android Open Source Project (AOSP) code, while other manufacturers, such as Samsung, Motorola, and Nokia, usually release updates around the same time.
This month's patches apply to AOSP versions 13, 14, and 15, with updates on May 1st and May 5th. The latter addresses all identified flaws, including CVE-2025-27363. Remember, Google discontinued support for Android 12 on March 31st, meaning devices with this older version will no longer receive security updates, potentially leaving them susceptible to some vulnerabilities.
To ensure your device is up-to-date, navigate to Settings > Security & privacy > System & updates > Security update and follow the prompts to download and install the update.
Enrichment Insights:
- CVE-2025-27363 is a high-severity out-of-bounds write flaw in the FreeType font rendering library, allowing arbitrary local code execution without requiring user interaction or additional privileges.
- This flaw impacts versions 2.13.0 and below of FreeType and was first reported by Facebook in March 2025. Due to its severity and exploitation, it was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)'s Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by May 27, 2025.
- The vulnerability affects a broad range of Android devices, potentially affecting over a billion devices using the vulnerable library. Google's May 2025 security update aims to mitigate this risk by incorporating a patched version (2.13.1 or later) of FreeType that remedies the out-of-bounds write flaw.
- A remote code execution vulnerability in FreeType, a font rendering library, is addressed in the latest Android Security Update in May 2025.
- Known as CVE-2025-27363, this high-severity out-of-bounds write flaw allows arbitrary local code execution without user interaction or additional privileges.
- Initially reported by security researchers at Facebook in March 2025, CVE-2025-27363 had already been actively used in targeted attacks.
- To secure Android devices, users should download and install the May 2025 security update, which includes a patched version (2.13.1 or later) of FreeType to mitigate the out-of-bounds write flaw.
