CyberSecurity news
FlagThis
@cyberscoop.com
//
Google has issued its May 2025 Android security update, addressing a total of 47 vulnerabilities. Among these fixes is a critical zero-day flaw, identified as CVE-2025-27363, which has been actively exploited by attackers. The vulnerability resides within the widely used FreeType software library, a font rendering engine utilized in over a billion devices. This flaw could potentially allow attackers to execute arbitrary code on affected devices, posing a significant security risk.
The specific vulnerability, an out-of-bounds write defect in FreeType versions 2.13.0 and below, was initially disclosed by Facebook in March 2025. It carries a CVSS score of 8.1, indicating its high severity. Google has acknowledged that there are indications CVE-2025-27363 may be under limited, targeted exploitation but the exact specifics are unknown. Users with Android versions 13, 14 and 15 are advised to update as soon as possible.
The update includes two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address vulnerabilities across different devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-27363 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply the necessary patches by May 27, 2025. Users can check their device's Android version and security update level in the settings app, to ensure their system is up to date.
ImgSrc: cyberscoop.com
References :
The specific vulnerability, an out-of-bounds write defect in FreeType versions 2.13.0 and below, was initially disclosed by Facebook in March 2025. It carries a CVSS score of 8.1, indicating its high severity. Google has acknowledged that there are indications CVE-2025-27363 may be under limited, targeted exploitation but the exact specifics are unknown. Users with Android versions 13, 14 and 15 are advised to update as soon as possible.
The update includes two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address vulnerabilities across different devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-27363 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply the necessary patches by May 27, 2025. Users can check their device's Android version and security update level in the settings app, to ensure their system is up to date.
ImgSrc: cyberscoop.com
Share:
References :
- CyberScoop: Google addresses 1 actively exploited vulnerability in May’s Android security update
- Malwarebytes: Malwarebytes discusses Android fixes 47 vulnerabilities, including one zero-day.
- securityaffairs.com: SecurityAffairs Google fixed actively exploited Android flaw CVE-2025-27363
- The Hacker News: The hackernews update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
- socradar.io: SocRadar: Android’s May 2025 Update Tackles CVE-2025-27363 & More
- www.bleepingcomputer.com: bleepingcomputer: Google fixes actively exploited FreeType flaw on Android
Classification:
- HashTags: #Android #SecurityUpdate #FreeType
- Company: Google
- Target: Android users
- Product: Android
- Feature: Zero-day Patch
- Type: 0Day
- Severity: Major