Google has launched the Could 2025 security updates for Android with fixes for 45 security flaws, together with an actively exploited zero-click FreeType 2 code execution vulnerability.
FreeType is a well-liked open-source font rendering library that shows and programmatically provides textual content to photographs.
The flaw, tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug found by Fb security researchers in March 2025.
It impacts all FreeType variations as much as 2.13, which was launched on February 9, 2023, and addresses the vulnerability.
“There are indications that CVE-2025-27363 could also be beneath restricted, focused exploitation,” reads the bulletin.
Neither Fb nor Google disclosed particulars about how the flaw is utilized in assaults. Nonetheless, Fb’s disclosure in March explains that it may be exploited when FreeType parses a malicious TrueType GX or variable fonts file, resulting in code execution.
“An out of bounds write exists in FreeType variations 2.13.0 and beneath (newer variations of FreeType usually are not weak) when trying to parse font subglyph buildings associated to TrueType GX and variable font recordsdata,” reads Fb’s disclosure.
“The weak code assigns a signed brief worth to an unsigned lengthy after which provides a static worth inflicting it to wrap round and allocate too small of a heap buffer. The code then writes as much as 6 signed lengthy integers out of bounds relative to this buffer. This may occasionally end in arbitrary code execution.”
The remainder of the failings mounted by Google this month concern issues in Framework, System, Google Play, and the Android Kernel, in addition to security gaps in proprietary parts from MediaTek, Qualcomm, Arm, and Creativeness Applied sciences.
All the failings in core Android parts are rated excessive severity, with most being elevation of privilege issues.
The launched fixes concern Android variations 13, 14, and 15, although not all vulnerabilities influence all three.
Android 12 reached the top of assist on March 31, 2025, so it is not receiving security fixes. Nonetheless, it (and older variations) could also be impacted by among the vulnerabilities listed within the newest bulletin.
Google usually incorporates essential fixes for these gadgets by way of the Google Play system replace channel, although particular fixes to actively exploited flaws aren’t assured for older gadgets.
Android customers on variations older than 13 are really helpful to contemplate third-party Android distributions that incorporate security fixes for unsupported gadgets or transfer to a more recent mannequin that’s supported by its OEM.
To use the newest Android replace, go to Settings > Safety & privateness > System & updates > Safety replace > click on ‘Verify for replace.’ (the method could range per OEM/mannequin).
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and methods to defend towards them.
