Google Patches 46 Android Flaws, Including One Actively Exploited Zero-Day
Google has released its May 2025 Android security updates, addressing 46 vulnerabilities—one of which is currently being exploited in the wild.
The actively exploited flaw, identified as CVE-2025-27363, carries a CVSS score of 8.1 and impacts the System component. According to Google’s Android Security Bulletin, the vulnerability allows local code execution without requiring user interaction or additional privileges. While the company acknowledged signs of limited, targeted exploitation, it did not share specifics about the attackers or the nature of the attacks.
The same flaw had previously been highlighted by Meta in March, who flagged it as an out-of-bounds write vulnerability within the FreeType font rendering library (version 2.13.0 and earlier). The issue arises during the parsing of subglyph structures in TrueType GX and variable font files, potentially enabling arbitrary code execution by corrupting memory through improperly sized heap buffers.
Meta's advisory explained that the vulnerable code improperly assigns a signed short to an unsigned long, causing buffer size miscalculations and out-of-bounds writes. The vulnerability does not affect FreeType versions after 2.13.0, but many Linux distributions still rely on older, vulnerable versions, increasing the risk of exploitation.
While exploitation on Android is generally more complex due to security enhancements in newer versions of the OS, Google strongly urges all users to update to the latest Android version to reduce their exposure to potential threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
