May 6, 2025 — Google has issued its monthly Android security bulletin, highlighting a major vulnerability—CVE-2025-27363—that is confirmed to have been actively exploited in the wild. The critical flaw is part of a batch of 46 vulnerabilities patched in the May 2025 Android update, and it affects a core Android System component used by millions of devices globally.
CVE-2025-27363: What You Need to Know
CVE-2025-27363 is an out-of-bounds write vulnerability in the Android System, specifically within the FreeType library—a popular open-source font rendering engine. The flaw is especially concerning because it allows for local code execution without requiring any user interaction or elevated privileges, making it a potent tool for attackers seeking to silently exploit Android devices.
Originally discovered by Facebook’s security team, the vulnerability came to light after being observed in actual attacks. The issue affects the processing of TrueType GX and variable fonts, enabling maliciously crafted font files to trigger unintended memory operations, potentially leading to remote code execution (RCE).
FreeType addressed the vulnerability in its latest versions, starting with version 2.13.1. However, Android devices that are not running patched versions remain at risk.
Scope of the May 2025 Security Update
Beyond CVE-2025-27363, Google’s May security bulletin covers a total of 46 security flaws:
- 8 vulnerabilities in the Android System module
- 15 vulnerabilities in the Android Framework
- Additional flaws in Kernel, Vendor components, and Google Play system updates
Several of these vulnerabilities could enable information disclosure, privilege escalation, or denial-of-service (DoS) attacks. While CVE-2025-27363 is the only one flagged as currently under active exploitation, the entire set of fixes improves the overall security posture of Android platforms, especially those running Android 13 and newer.
Google has not disclosed the full technical details of the exploitation chain used in real-world attacks, but emphasized that multiple layers of hardening in recent Android versions limit the impact of such vulnerabilities. Devices running Android 12 or earlier, however, may be more exposed.
Who Is Affected?
The vulnerability affects a wide range of Android-powered devices, including smartphones, tablets, and potentially smart TVs or other Android-based systems that make use of the vulnerable FreeType rendering engine.
According to Facebook, the exploit was observed targeting older Android versions and possibly leveraged in state-sponsored or targeted cyber-espionage campaigns. However, no specific threat actor has been publicly attributed so far.
Mitigation and Recommendations
Security experts and Google alike recommend users take the following steps immediately:
- Update Your Device: Ensure your Android device is running the May 2025 security patch. You can check this under Settings > Security > Security patch level.
- Upgrade FreeType (where applicable): For developers or custom OS maintainers, updating FreeType to version 2.13.1 or later is essential.
- Avoid Third-Party Fonts: Be cautious of apps or websites prompting the download of unfamiliar font files.
- Use Google Play Protect: Keep Google Play Protect enabled for real-time scanning of malicious apps.
Organizations managing large Android device fleets should also push for mobile device management (MDM) solutions to enforce timely security updates and restrict installation of unverified applications.
Google’s Ongoing Security Push
This incident underscores Google’s continued efforts to secure the Android ecosystem by working closely with open-source communities, such as FreeType, and third-party security researchers. The rapid identification and patching of CVE-2025-27363—within weeks of disclosure—demonstrates an improved response cycle compared to past years.
Still, fragmentation in the Android ecosystem remains a challenge, as not all manufacturers roll out updates in a timely fashion. Google continues to push for broader adoption of Project Mainline, which allows modular updates directly through Google Play, bypassing OEM delays.
Final Thoughts
With CVE-2025-27363 already being exploited, this month’s Android security update is one of the most critical in recent times. Android users, particularly those using older devices or running outdated software, are strongly advised to patch immediately.
Failing to do so could leave devices vulnerable to silent, local code execution attacks—highlighting once again the importance of staying current with mobile security updates in today’s rapidly evolving threat landscape.