Google addressed 47 vulnerabilities affecting Android devices in its May security update, including an actively exploited software defect that was first disclosed in March. Google said the high-severity vulnerability, CVE-2025-27363, “may be under limited, targeted exploitation.”
The out-of-bounds write defect in FreeType versions 2.13.0 and below may result in arbitrary code execution, Facebook said in March when it disclosed the vulnerability in a security advisory acting in its capacity as a CVE numbering authority. The vulnerability has a base score of 8.1 on the CVSS scale and is still awaiting further assessment by the National Institute of Standards and Technology’s National Vulnerability Database program.
FreeType is a software library, written in the C programming language, that allows developers to render fonts. The freely available software is used in products contained in more than a billion devices, according to the FreeType Project.
Google’s security update includes 15 high-severity vulnerabilities affecting the Android framework and nine high-severity software defects affecting the Android system. The vulnerabilities, if exploited, could allow attackers to achieve escalation of privileges, remote code execution, local code execution, information disclosure and denial of service.
The Android security update contains two patch levels — 2025-05-01 and 2025-05-05 — allowing Android partners to address a group of 24 common vulnerabilities on different devices.
The second patch includes fixes for two high-severity vulnerabilities affecting Arm components, nine defects in Imagination Technologies components, one flaw in MediaTek components and 11 total vulnerabilities in Qualcomm components.
Google Pixel users automatically get access to the latest Android security updates. Meanwhile, other Android device manufacturers release security patches after they’ve customized operating system updates for their specific hardware.
Google said source code patches for all 47 vulnerabilities covered in this month’s security update will be released to the Android Open Source Project repository by Wednesday.
Plus de détails sur l’article original.