Google has issued an urgent patch for a high-severity Android vulnerability—CVE-2025-27363—that is actively being exploited in the wild. This flaw, which affects the Android System component, was highlighted in the May 2025 Android Security Bulletin alongside 45 other fixes.
With a CVSS score of 8.1, CVE-2025-27363 is a local code execution vulnerability that does not require user interaction or special privileges, making it particularly dangerous for targeted attacks.
What is CVE-2025-27363?
CVE-2025-27363 stems from an out-of-bounds write flaw in FreeType, an open-source font rendering library commonly used in Android and other software environments. The flaw affects the parsing of TrueType GX and variable font files, which can be manipulated to execute arbitrary code.
Key Facts:
- Type: Out-of-bounds write
- Component: FreeType (embedded in Android System)
- Impact: Local code execution without user interaction
- Severity: High (CVSS 8.1)
- Discovered by: Meta (Facebook) Security Team
- Exploited in the wild: Yes
- Patched in: FreeType versions > 2.13.0 and Android May 2025 update
Why It’s Critical
This vulnerability is notable for two reasons:
- Zero Click Exploitation – Attackers do not need any user interaction, such as clicking a malicious link or opening a suspicious file.
- No Special Permissions – It can execute code locally without needing elevated Android privileges, increasing the risk on unpatched devices.
Google has acknowledged “limited, targeted exploitation” in the wild. Although detailed attack vectors are still under wraps, this type of bug is often used in nation-state spyware campaigns or surveillance malware delivered via messaging apps or malicious documents.
Additional Vulnerabilities Fixed
The May 2025 Android security patch includes 46 vulnerabilities across the Android ecosystem:
- 8 flaws in the System component
- 15 issues in the Android Framework
- Remainder in kernel, media libraries, and third-party components
These additional vulnerabilities cover threats like:
- Privilege escalation
- Information disclosure
- Denial-of-service (DoS)
Google emphasized that modern Android versions (Android 12 and higher) incorporate platform-level mitigations that reduce exploitation risks, but patching remains essential.
Affected Devices
Devices running Android versions prior to their latest OEM update are vulnerable. This includes:
- Pixel devices not updated to May 2025 patch
- OEM devices (Samsung, Xiaomi, OnePlus, etc.) pending firmware rollout
- Android-based custom ROMs not integrating the latest FreeType patch
If you are unsure of your device’s patch level:
Go to Settings → About Phone → Android Version → Check “Android security update”
How to Protect Yourself
To mitigate the risk from CVE-2025-27363 and related vulnerabilities:
✅ Update your Android device immediately to the May 2025 security patch
✅ Avoid sideloading apps or font files from unknown sources
✅ Use Google Play Protect and a reputable mobile security app
✅ Apply OS and app updates regularly, especially system-level patches
✅ Refrain from opening files or links sent from untrusted contacts
Broader Implications
This vulnerability demonstrates the continued exploitation of third-party libraries embedded in major mobile platforms. FreeType, widely used across multiple systems, has historically been a high-value target for attackers due to its proximity to rendering engines and high privilege execution paths.
It’s also a cautionary tale for developers: use dependency scanners, track CVEs, and ensure upstream libraries are patched to avoid inherited vulnerabilities.
Conclusion
The exploitation of CVE-2025-27363 is a reminder that no Android user is immune from security threats—especially those that require zero interaction and minimal privileges. As attackers grow more sophisticated, the best defense is a well-maintained, frequently updated device.
Google’s swift response in this case, combined with visibility from Meta’s threat team, has helped prevent broader damage—but only if users apply the fix.
SoloSecurities
Add comment