Google fixes actively exploited FreeType flaw on Android

Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability.

FreeType is a popular open-source font rendering library that displays and programmatically adds text to images.

The flaw, tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug discovered by Facebook security researchers in March 2025.

It impacts all FreeType versions up to 2.13, which was released on February 9, 2023, and addresses the vulnerability.

"There are indications that CVE-2025-27363 may be under limited, targeted exploitation," reads the bulletin.

Neither Facebook nor Google disclosed details about how the flaw is used in attacks. However, Facebook's disclosure in March explains that it can be exploited when FreeType parses a malicious TrueType GX or variable fonts file, leading to code execution.

"An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files," reads Facebook's disclosure.

"The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution."

The rest of the flaws fixed by Google this month concern problems in Framework, System, Google Play, and the Android Kernel, as well as security gaps in proprietary components from MediaTek, Qualcomm, Arm, and Imagination Technologies.

All the flaws in core Android components are rated high severity, with most being elevation of privilege problems.

The released fixes concern Android versions 13, 14, and 15, though not all vulnerabilities impact all three.

Android 12 reached the end of support on March 31, 2025, so it's no longer receiving security fixes. However, it (and older versions) may be impacted by some of the vulnerabilities listed in the latest bulletin.

Google regularly incorporates critical fixes for those devices via the Google Play system update channel, though specific fixes to actively exploited flaws aren't guaranteed for older devices.

Android users on versions older than 13 are recommended to consider third-party Android distributions that incorporate security fixes for unsupported devices or move to a newer model that is supported by its OEM.

To apply the latest Android update, go to Settings > Security & privacy > System & updates > Security update > click 'Check for update.' (the process may vary per OEM/model).