Google’s latest Android Security Bulletin patches 46 security vulnerabilities impacting Android devices, one of which is a zero-day flaw in FreeType that may be under “limited, targeted exploitation.”
The security update for May includes fixes for a range of issues: most are an elevation of privilege flaws, though there are a few information disclosure and denial of service vulnerabilities and one remote code execution bug. All are considered high severity. May’s patch also addresses vulnerabilities with Qualcomm, MediaTek, Arm, and Imagination Technologies components.
One active exploit
The zero-day addressed with the latest update is a remote code execution flaw labeled CVE-2025-27363. It impacts FreeType, an open-source font rendering library, and allows attackers to exploit how the program processes certain files. The bug affects FreeType versions 2.13.0 and below and was first reported by security researchers at Facebook in March 2025, though details as to how it has been exploited have not been disclosed.
What Android users need to do
If you have an Android device, you should get a notification to install the latest security update as soon as it’s available. Google pushes patches to Pixel phones and the core Android Open Source Project (AOSP) code, while other device manufacturers—Samsung, Motorola, and Nokia—typically issue updates around the same time.
This month’s patches apply to AOSP versions 13, 14, and 15, with separate updates dated 2025-05-01 and 2025-05-05 (the latter addresses all of the flaws identified). Note that Google ended support for Android 12 as of March 31, meaning devices running this and older versions won’t receive security updates even though they may be affected by some of the vulnerabilities.
If you’re not sure whether your device has been patched, check for available updates via Settings > Security & privacy > System & updates > Security update and follow the prompts to download and install.
