Google has rolled out the May 2025 Android security updates, addressing 45 vulnerabilities, including a high-severity, actively exploited zero-click flaw in the FreeType font rendering library.
The bug, tracked as CVE-2025-27363, could allow arbitrary code execution without user interaction.
Discovered by Facebook’s security team in March 2025, the flaw exists in all FreeType versions up to 2.13.0, which was released in February 2023. FreeType is widely used for rendering fonts and text in images across Android and other platforms. According to Facebook, the vulnerability is triggered when parsing malicious TrueType GX or variable font files, potentially enabling attackers to execute code via out-of-bounds memory writes.
“There are indications that CVE-2025-27363 may be under limited, targeted exploitation,” Google warned in its bulletin. While both Facebook and Google withheld technical details on in-the-wild attacks, the vulnerability’s nature makes it especially dangerous for Android users.
Besides the FreeType flaw, the May update addresses critical issues in Android Framework, System, Google Play, and Kernel, along with patches for components from MediaTek, Qualcomm, Arm, and Imagination Technologies. Most of these are elevation-of-privilege vulnerabilities rated as high severity.
The update applies to Android versions 13, 14, and 15, with older versions like Android 12 now officially out of support since March 31, 2025. Users on unsupported versions are advised to either switch to custom ROMs with active security patching or upgrade to a supported device.
To install the update, navigate to Settings > Security & privacy > System & updates > Security update, and tap Check for update. Update steps may vary depending on your device brand.
