Google has rolled out its May 2025 Android security bulletin. Among the 46 patched vulnerabilities, one stands out, a serious flaw in the FreeType font rendering library that was already under active exploitation.
Tracked as CVE-2025-27363, the vulnerability allows for arbitrary code execution and posed a severe risk to Android users prior to the patch.
What is FreeType?
FreeType is a popular open-source font rendering library used by Android and many other platforms to process and display text. Because of its widespread use, vulnerabilities in FreeType can have far-reaching security implications.
The CVE-2025-27363 flaw, reported to Google by Facebook’s security team in March 2025, is a high-severity memory corruption issue stemming from improper handling of specially crafted TrueType GX or variable fonts.
This type of vulnerability can be exploited remotely and silently, requiring no user interaction, thus classifying it as a zero-click exploit.
The flaw impacts Android versions 13, 14, and 15. If your device is running one of these, it’s crucial to ensure you’ve installed the latest update with patch levels 2025-05-01 or 2025-05-05. Devices on Android 12 and earlier may remain vulnerable unless manufacturers provide specific updates.
Technical Overview: CVE-2025-27363
- Type: Out-of-bounds write
- Component: FreeType (prior to version 2.13.1)
- Severity: High
- Impact: Remote code execution
- Attack Vector: Remote, zero-click (e.g., via malicious media files or messaging content)
- Exploit Status: Confirmed active exploitation in the wild
The flaw allows attackers to craft font files that, when processed by FreeType, result in memory corruption, potentially enabling them to execute arbitrary code within the context of the vulnerable process.
Google Response
After Facebook reported the issue, the FreeType team issued a fix in version 2.13.1. Google quickly incorporated this patch into its May 2025 Android security update.
The company also acknowledged that the bug had been exploited “in limited, targeted attacks” in the wild, though exact details remain undisclosed.
Recommendations for Users
To keep your device secure:
- Update Immediately: Head to Settings > Security > Security Update and install any available patches.
- Check Patch Level: Make sure it says May 1, 2025, or May 5, 2025.
- Avoid installing apps or opening media from unknown sources, especially font-heavy documents or messages.
- Use Google Play Protect and ensure Play Services are up to date.
For developers and OEMs:
- Integrate FreeType 2.13.1 or later into your build pipelines.
- Validate any custom rendering libraries that may rely on older FreeType components.
Zero-click vulnerabilities like CVE-2025-27363 highlight the importance of timely security patches.