Mountain View, Calif. — Google has announced a series of critical security updates for Android, addressing a total of 46 vulnerabilities. Among these is a significant flaw, identified as CVE-2025-27363, which has reportedly been under active exploitation.
CVE-2025-27363 is categorized as a high-severity vulnerability, scoring 8.1 on the Common Vulnerability Scoring System (CVSS). This particular flaw exists within the System component of Android and allows for local code execution without requiring additional execution privileges or user interaction.
The flaw stems from the FreeType open-source font rendering library, which Facebook initially disclosed in March 2025. It is characterized as an out-of-bounds write issue, potentially allowing attackers to execute code when handling specific TrueType GX and variable font files. Google has implemented repairs in FreeType versions released after 2.13.0.
In its security advisory, Google acknowledged that CVE-2025-27363 appears to be subject to limited, targeted attacks, though details regarding the methods employed remain uncertain. The company emphasized the importance of updating to mitigate risks associated with this vulnerability and other issues addressed in the May update.
In addition to the high-risk flaw, the update resolves eight other weaknesses within the Android System and 15 vulnerabilities within the Framework module. These flaws could be exploited for privilege escalation, information disclosure, and denial-of-service conditions.
Google noted that enhancements in recent Android platform iterations make exploitation of many issues more challenging. The technology giant continues to encourage users to maintain updated systems as a line of defense against potential threats.
As cyber threats grow more sophisticated, proactive measures such as regular software updates remain paramount in protecting user data and privacy.