Google has launched the Could 2025 safety updates for Android with fixes for 45 safety flaws, together with an actively exploited zero-click FreeType 2 code execution vulnerability.
FreeType is a well-liked open-source font rendering library that shows and programmatically provides textual content to pictures.
The flaw, tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug found by Fb safety researchers in March 2025.
It impacts all FreeType variations as much as 2.13, which was launched on February 9, 2023, and addresses the vulnerability.
“There are indications that CVE-2025-27363 could also be below restricted, focused exploitation,” reads the bulletin.
Neither Fb nor Google disclosed particulars about how the flaw is utilized in assaults. Nonetheless, Fb’s disclosure in March explains that it may be exploited when FreeType parses a malicious TrueType GX or variable fonts file, resulting in code execution.
“An out of bounds write exists in FreeType variations 2.13.0 and under (newer variations of FreeType should not susceptible) when trying to parse font subglyph buildings associated to TrueType GX and variable font information,” reads Fb’s disclosure.
“The susceptible code assigns a signed quick worth to an unsigned lengthy after which provides a static worth inflicting it to wrap round and allocate too small of a heap buffer. The code then writes as much as 6 signed lengthy integers out of bounds relative to this buffer. This may increasingly lead to arbitrary code execution.”
The remainder of the failings fastened by Google this month concern issues in Framework, System, Google Play, and the Android Kernel, in addition to safety gaps in proprietary parts from MediaTek, Qualcomm, Arm, and Creativeness Applied sciences.
All the failings in core Android parts are rated excessive severity, with most being elevation of privilege issues.
The launched fixes concern Android variations 13, 14, and 15, although not all vulnerabilities impression all three.
Android 12 reached the top of assist on March 31, 2025, so it is now not receiving safety fixes. Nonetheless, it (and older variations) could also be impacted by a number of the vulnerabilities listed within the newest bulletin.
Google repeatedly incorporates essential fixes for these gadgets through the Google Play system replace channel, although particular fixes to actively exploited flaws aren’t assured for older gadgets.
Android customers on variations older than 13 are really useful to think about third-party Android distributions that incorporate safety fixes for unsupported gadgets or transfer to a more recent mannequin that’s supported by its OEM.
To use the newest Android replace, go to Settings > Safety & privateness > System & updates > Safety replace > click on ‘Verify for replace.’ (the method might fluctuate per OEM/mannequin).
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend towards them.
