Google has released a security update for the Android operating system, fixing 45 vulnerabilities, including a critical bug in the FreeType computer font library. The vulnerability, identified as CVE-2025-27363, allowed attackers to execute arbitrary code on the device without any action from the user.
Image source: AI
According to BleepingComputer, the vulnerability was discovered by Facebook✴ in March 2025. It affects all versions of FreeType up to 2.13.0, released in February 2023. It is also reported that there are signs that the exploit has already been used in limited targeted attacks.
The error occurs when processing malicious files with TrueType GX fonts and is related to incorrect data processing when parsing subglyph structures. This leads to a buffer overflow and potential execution of arbitrary code by an attacker on the device.
In addition to FreeType, the updates fix vulnerabilities in the Framework, System, Google Play, and Android kernel components, as well as in chipsets from MediaTek, Qualcomm, Arm, and Imagination Technologies. Most of these bugs allowed for privilege escalation in the system and were considered high-risk.
Fixes are available for Android 13, 14, and 15, although not all vulnerabilities affect each of these versions. It is worth considering that Android 12 officially stopped receiving security updates on March 31, 2025, and older versions are left without protection at all. However, Google may release some critical fixes through Google Play System Updates, but there is no guarantee that they will be available for older devices.
To check for an update, go to Settings → Security & Privacy → System & Updates → Security Update and click Check for Updates. The exact path may vary depending on the device model and manufacturer.
Experts recommend that owners of smartphones on Android 12 and above upgrade to a newer version of the OS or install custom firmware with current patches. Otherwise, the devices remain vulnerable to attacks.