Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability. The rest of the flaws fixed by Google this month concern problems in Framework, System, Google Play, and the Android Kernel, as well as security gaps in proprietary components from MediaTek, Qualcomm, Arm, and Imagination Technologies. Android users on versions older than 13 are recommended to consider third-party Android distributions that incorporate security fixes for unsupported devices or move to a newer model that is supported by its OEM. Google regularly incorporates critical fixes for those devices via the Google Play system update channel, though specific fixes to actively exploited flaws aren't guaranteed for older devices. However, Facebook's disclosure in March explains that it can be exploited when FreeType parses a malicious TrueType GX or variable fonts file, leading to code execution. "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files," reads Facebook's disclosure. To apply the latest Android update, go to Settings > Security & privacy > System & updates > Security update > click 'Check for update.' (the process may vary per OEM/model). The flaw, tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug discovered by Facebook security researchers in March 2025. Android 12 reached the end of support on March 31, 2025, so it's no longer receiving security fixes.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 06 May 2025 13:35:15 +0000