CyberSecurity news
FlagThis
@cyberscoop.com
//
Google has released its May 2025 Android security update, addressing a total of 46 or 47 security flaws affecting Android devices. The update includes a fix for CVE-2025-27363, a high-severity vulnerability in the Android System component that has been actively exploited in the wild. The vulnerability, which is present in versions of FreeType up to 2.13, could allow for local code execution without requiring any additional execution privileges or user interaction. Google noted that there are indications that this flaw may be under limited, targeted exploitation.
The actively exploited vulnerability, CVE-2025-27363, is an out-of-bounds write defect in the FreeType font rendering library. FreeType is a widely used open-source library that allows developers to render fonts and is found in over a billion devices. The vulnerability, discovered by Facebook security researchers in March 2025, has a base score of 8.1 on the CVSS scale. Exploitation of this flaw could lead to arbitrary code execution when parsing TrueType GX and variable font files.
The May 2025 security update contains two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address a range of vulnerabilities on different devices. In addition to the FreeType flaw, the update also resolves eight other flaws in the Android System and 15 flaws in the Framework module, which could be abused to facilitate privilege escalation, information disclosure, and denial-of-service attacks. Google Pixel users will automatically receive the update, while other Android device manufacturers will release the patches after customizing the operating system for their specific hardware. Source code patches for all addressed vulnerabilities will be released to the Android Open Source Project repository.
ImgSrc: cyberscoop.com
References :
The actively exploited vulnerability, CVE-2025-27363, is an out-of-bounds write defect in the FreeType font rendering library. FreeType is a widely used open-source library that allows developers to render fonts and is found in over a billion devices. The vulnerability, discovered by Facebook security researchers in March 2025, has a base score of 8.1 on the CVSS scale. Exploitation of this flaw could lead to arbitrary code execution when parsing TrueType GX and variable font files.
The May 2025 security update contains two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address a range of vulnerabilities on different devices. In addition to the FreeType flaw, the update also resolves eight other flaws in the Android System and 15 flaws in the Framework module, which could be abused to facilitate privilege escalation, information disclosure, and denial-of-service attacks. Google Pixel users will automatically receive the update, while other Android device manufacturers will release the patches after customizing the operating system for their specific hardware. Source code patches for all addressed vulnerabilities will be released to the Android Open Source Project repository.
ImgSrc: cyberscoop.com
Share:
References :
- CyberScoop: Google addresses 1 actively exploited vulnerability in May’s Android security update
- securityaffairs.com: Google fixed actively exploited Android flaw CVE-2025-27363
- The Hacker News: Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
- Talkback Resources: Google Fixes Actively Exploited Android System Flaw in May 2025 Security Update [app] [exp] [sys]
Classification:
- HashTags: #Android #Vulnerability #ZeroDay
- Company: Google
- Target: Android Users
- Product: Android
- Feature: Vulnerability
- Malware: CVE-2025-27363
- Type: Vulnerability
- Severity: Major