Google fixes actively exploited FreeType flaw on Android

Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability. FreeType is a popular open-source font rendering library that displays and programmatically adds text to images. The flaw, tracked as CVE-2025-27363, is a high-severity arbitrary code execution bug discovered by Facebook security researchers in March 2025. It impacts all FreeType versions up to 2.13, which was released on February 9, 2023, and addresses the vulnerability. "There are indications that CVE-2025-27363 may be under limited, targeted exploitation," reads the bulletin. Neither Facebook nor Google disclosed details about how the flaw is used in attacks. However, Facebook's disclosure in March explains that it can be exploited when FreeType parses a malicious TrueType GX or variable fonts file, leading to code execution. "An out of bounds write exists in FreeType versions 2.13.0 and below (newer ... Read full article.