Google has released its May 2025 Android Security Update, addressing a critical vulnerability identified as CVE-2025-27363. This flaw, which has been actively exploited in the wild, affects the System component of Android devices and could lead to remote code execution without requiring additional execution privileges.

Understanding CVE-2025-27363

The vulnerability stems from an out-of-bounds write issue in the FreeType open-source font rendering library, specifically in versions 2.13.0 and earlier. When parsing TrueType GX and variable font files, the flawed code assigns a signed short value to an unsigned long, causing a buffer overflow. This allows attackers to write up to six signed long integers out of bounds, potentially leading to arbitrary code execution. Vulert+1Tenable®+1

Meta (formerly Facebook) disclosed the vulnerability in March 2025, confirming that it had been exploited in the wild. Google’s May security update addresses this issue by patching the affected System component in Android.

Severity and Impact

CVE-2025-27363 has been assigned a CVSS v3.0 score of 8.1, indicating a high severity level. Exploitation of this vulnerability could allow attackers to execute arbitrary code on affected devices, potentially compromising user data and device integrity.

Mitigation and Recommendations

Google encourages all Android users to update their devices to the latest security patch level to mitigate the risk associated with this vulnerability. The May 2025 security update addresses CVE-2025-27363 and other vulnerabilities, enhancing the overall security posture of Android devices.

Conclusion

The prompt release of the May 2025 Android Security Update underscores Google’s commitment to addressing critical vulnerabilities and protecting users from potential threats. Users are advised to apply the update promptly to safeguard their devices against CVE-2025-27363 and other security issues.

Sources:

• Vulert: FreeType Vulnerability (CVE-2025-27363): A Comprehensive Guide to Understanding and Mitigating the RiskVulert

• Tenable: CVE-2025-27363Tenable®

• Android Open Source Project: Android Security Bulletin—March 2025Android Open Source Project+1Android Open Source Project+1

• BleepingComputer: Facebook Discloses FreeType 2 Flaw Exploited in AttacksTenable®