The zero-day, tracked as CVE-2025-27363, resides in the System component and stems from a memory handling bug in FreeType — an open-source library widely used for font rendering. The flaw allows for local code execution without requiring additional privileges or user interaction. According to Facebook’s security team, which first disclosed details about the vulnerability in March 2025, attackers can exploit the issue through malformed TrueType GX or variable font files, leading to heap buffer overflows and potentially arbitrary code execution. While the vulnerability was fixed in FreeType 2.13.0 over two years ago, older versions remain embedded in many Android builds and third-party software, making the risk of exploitation significant.

Google has acknowledged signs of limited, targeted exploitation of CVE-2025-27363 in the wild, reinforcing the urgency for users and OEMs to apply the update. Devices patched with the 2025-05-05 security level will receive a fix for this vulnerability, along with all other patches from earlier levels.

Beyond the zero-day, the May 2025 bulletin addresses over 40 high-severity vulnerabilities affecting Android components such as the Framework, System, kernel, and key third-party hardware modules from Arm, MediaTek, Qualcomm, and Imagination Technologies.

Android device manufacturers are expected to incorporate these fixes into their firmware. Devices running Android 10 and later will receive some of these patches through Google Play system updates, covering components like the Wi-Fi stack, Permission Controller, and Documents UI. However, it is recommended that users of older models move to a newer device running Android version 13 or later. For some models, third-party Android distributions like GrapheneOS and LineageOS exist, which might provide security in aging devices.