06.05.2025
2 min
771
Google has released the May 2025 Android Security Update, which fixes 46 vulnerabilities, including CVE-2025-27363, a critical 8.1-rated bug that attackers can exploit without any user interaction.
The vulnerability, CVE-2025-27363, affects the Android System component and allows local arbitrary code execution without additional privileges. The issue lies in the FreeType library, which is responsible for rendering fonts. Facebook reported the exploitation of this vulnerability back in March 2025.
The bug is classified as an out-of-bounds write and is related to the handling of TrueType GX and variable fonts. It has been fixed in FreeType since version 2.13.1. Google notes that the exploitation is limited and targeted, although specific attacks are not disclosed.
In addition, the update fixes 8 more issues in System and 15 in Framework, including privilege escalation, information leakage, and DoS attacks.
This is not the first time that FreeType issues have been used to attack Android. Despite new protection mechanisms gradually being implemented in new versions of the OS, Google regularly records attempts at targeted attacks that partially bypass protection.
Previous similar vulnerabilities, such as Stagefright or Zero-day in Binder, have already been used for large-scale espionage campaigns. Users should update their devices immediately to avoid potential seizure of control over the system. This is especially true for those who work with confidential information or are at risk due to geopolitical or corporate factors.
