Do Son 
Google has released its latest Android security update, addressing 46 vulnerabilities—one of which is already being actively exploited in real-world attacks. This critical flaw, embedded within a core system component of Android, enables the execution of arbitrary code on a device without requiring elevated privileges or any interaction from the user.
Tracked as CVE-2025-27363 and carrying a CVSS score of 8.1, the vulnerability is linked to FreeType, a widely used open-source font rendering library. The flaw stems from an out-of-bounds write error that occurs during the handling of TrueType GX and variable fonts. The issue has been resolved in FreeType versions beyond 2.13.0.
Although detailed information on the attacks remains scarce, Google confirms that exploitation has occurred in a limited and highly targeted fashion—indicating that threat actors may have deployed this vulnerability against select individuals or devices harboring sensitive data.
In addition to this critical flaw, the May security update addresses a host of other issues. These include vulnerabilities that could enable privilege escalation, exposure of confidential information, or denial-of-service conditions.
The May 1 and May 5, 2025, security patches collectively remediate two primary clusters of critical flaws. The first group pertains to the Android framework, where several vulnerabilities could allow attackers to elevate privileges. The second addresses weaknesses in the kernel, system modules, and media components—flaws that could facilitate the execution of malicious code or the leakage of sensitive data.
Significant attention has also been directed toward vulnerabilities in third-party components. Seven high-risk issues were resolved in PowerVR GPUs from Imagination Technologies. Similarly, critical patches have been issued for ARM Mali GPUs and MediaTek modems. Qualcomm, too, has acknowledged multiple vulnerabilities across its kernel, camera, location, and WLAN subsystems, including proprietary elements.
It is worth noting that many of these vulnerabilities fall under the category of “end-of-life” bugs—Android’s terminology for privilege escalation flaws that bypass conventional security boundaries. Furthermore, the update includes fixes for Project Mainline components, which are now updated directly through Google Play, independent of device manufacturers.
Android’s security posture no longer hinges solely on firmware updates; timely updates to system components delivered via Google Play Protect are now essential. Google Play Protect plays a pivotal role in monitoring malicious behavior, especially for users who install applications from outside the official Play Store.
Android users are strongly urged to verify that their security patch level is no earlier than May 5, 2025. Manufacturers, in turn, are advised to consolidate all available fixes into a single update to ensure comprehensive protection against the identified vulnerabilities.
The current list of CVEs includes dozens of entries, among them 15 vulnerabilities in the Android framework, 9 in core system components, and numerous flaws in third-party chipsets. Devices running Android 10 and later typically receive both security patches and Google Play system updates.
In summary, the May security bulletin underscores the imperative of timely patching—especially in light of actively exploited vulnerabilities such as CVE-2025-27363. In an era of increasingly sophisticated mobile threats, even a single unpatched flaw may enable the silent compromise of an entire device.
