Google has released its May 2025 Android Security Bulletin, addressing 46 vulnerabilities across the mobile ecosystem — including an actively exploited zero-day flaw in FreeType, a widely used font rendering library.
The most serious of the patched issues is CVE-2025-27363, a remote code execution (RCE) vulnerability in FreeType that’s reportedly been subjected to “limited, targeted exploitation,” according to Google. The bug, which impacts versions 2.13.0 and below, was first flagged by Facebook’s security team in March. While Google hasn’t revealed details on how attackers have been leveraging it, the flaw could allow malicious code execution via crafted font files — a common vector for stealthy attacks.
Beyond the zero-day, the update includes fixes for a mix of elevation of privilege, information disclosure, denial of service, and one additional RCE flaw — all classified as high severity. The bulletin also includes patches for component-level issues in chips and firmware from Qualcomm, MediaTek, Arm, and Imagination Technologies, underscoring the complexity of the Android hardware landscape.
For Android users, the takeaway is simple: update as soon as possible. Google has begun pushing the patch to supported Pixel devices and to the Android Open Source Project (AOSP), while manufacturers like Samsung, Motorola, and Nokia are expected to follow with device-specific updates.
Security experts recommend installing these updates immediately, especially given the confirmed in-the-wild exploitation of the FreeType vulnerability. If your device supports automatic updates, now is a good time to double-check that it’s enabled.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
