Google Patches Actively Exploited Android System Vulnerability Tied to FreeType Library
Digital Forensics Research and Service Center (DFRSC)
White Collar Crime Investigation | Digital Forensics | Cyber Security | Malware Analysis
In its May 2025 security update, Google has addressed 46 Android vulnerabilities, including a high-severity flaw (CVE-2025-27363) that has reportedly been exploited in the wild. The vulnerability, which resides in the System component, has been described as allowing local code execution without requiring any additional privileges or user interaction—a concerning combination that elevates its threat level substantially.
“The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed,” Google noted in its security advisory.
CVE-2025-27363: Exploitation in the Wild
Tracked as CVE-2025-27363, the flaw carries a CVSS score of 8.1 and stems from an out-of-bounds write issue within FreeType, the open-source font rendering engine embedded across Android systems. Notably, the vulnerability impacts the processing of TrueType GX and variable font files—a vector that attackers have exploited in the past to achieve arbitrary code execution.
The vulnerability was initially disclosed in March 2025 by security researchers at Facebook, who flagged it as having been actively exploited in targeted attacks. Though Google has not released specific details about how the flaw is being leveraged, it has acknowledged that:
“There are indications that CVE-2025-27363 may be under limited, targeted exploitation.”
This aligns with a growing trend in mobile exploitation, where adversaries increasingly focus on zero-click or low-interaction vectors, particularly those involving embedded libraries like FreeType, Skia, or media parsers.
Why FreeType Remains a Soft Target
FreeType, while essential for high-quality font rendering, has historically been a frequent source of memory corruption vulnerabilities. The nature of font parsing—complex, legacy-driven, and often exposed to untrusted input—makes it an attractive attack surface for adversaries aiming to bypass app or OS-level sandboxing.
The vulnerability has been patched upstream in FreeType versions > 2.13.0, but many Android devices still run older, unpatched versions due to OEM update delays—a persistent problem in the Android ecosystem.
Additional Vulnerabilities in May 2025 Bulletin
Beyond CVE-2025-27363, the May bulletin includes:
Recommended by LinkedIn
“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform,” Google stated.
“We encourage all users to update to the latest version of Android where possible.”
Still, the persistent challenge remains: not all devices are updated equally. Devices outside of Google's own Pixel line or Samsung's newer Galaxy models often face multi-month delays—or receive no updates at all.
Key Takeaways for Security Professionals
A Systemic Debate: How Long Will Fragmentation Undermine Android Security?
Despite Google's continuous improvements to platform security, Android’s fragmented update model continues to place millions of users at risk. Unlike iOS, which benefits from centralized control and uniform patching, Android relies heavily on OEMs and carriers to deliver security updates.
With actively exploited vulnerabilities now reaching deep into shared open-source components, the question isn’t just about patch speed—it’s about the model itself.
Should Google take more aggressive steps to decouple critical security patches from OEM control? Could a modular patching framework or mandatory OEM SLAs (Service Level Agreements) shift the balance?