Google has published its Android Security Bulletin for May 2025, delivering critical updates to the Android ecosystem. This monthly update resolves 46 vulnerabilities, one of which—CVE-2025-27363—has already been exploited in the wild.
CVE-2025-27363, a high-severity vulnerability with a CVSS score of 8.1, lies at the core of Google’s May 2025 Android Security Bulletin. Located in the Android System component, this flaw enables local code execution without requiring elevated privileges or user interaction, posing a serious risk to device integrity, particularly if platform and service mitigations are bypassed.
The vulnerability, which stems from the widely used FreeType open-source font rendering library, was first identified by Facebook researchers in March 2025 and has since been observed in limited, targeted exploitation.
Google described it as the most critical issue addressed in this update, stating, “The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed,” in its advisory released on May 5, 2025.
Key Details from the May 2025 Android Security Bulletin
The May bulletin breaks down the vulnerabilities into two patch levels:
- 2025-05-01 Security Patch Level
- 2025-05-05 Security Patch Level
Devices that receive the 2025-05-05 update will also be protected from all previously disclosed issues.
Highlights from the bulletin include
- 46 vulnerabilities addressed across core components like System, Framework, Kernel, and third-party hardware drivers.
- Android partners were informed at least a month in advance of the bulletin’s publication.
- Source code patches will be released into the Android Open Source Project (AOSP) within 48 hours of publication.
Other High-Severity Vulnerabilities Patched
Apart from CVE-2025-27363, several other critical issues have been resolved. These include:
Framework Vulnerabilities (Examples)
- CVE-2025-0087 — Elevation of Privilege (EoP) affecting Android versions 13, 14, and 15.
- CVE-2025-26426 — EoP issue impacting Android 13, 14, and 15.
System Component Vulnerabilities
- CVE-2025-26420, CVE-2025-26421 — High-severity EoP bugs patched in multiple versions.
- CVE-2025-26430 — Local EoP affecting Android 15.
Google Play System Updates
Fixes for issues in:
- Documents UI
- Permission Controller
- WiFi subsystem
Third-Party Component Vulnerabilities
The bulletin also lists vulnerabilities tied to hardware vendors and chipset manufacturers. These include:
Arm (Mali GPU Drivers)
- CVE-2025-0072
- CVE-2025-0427
Imagination Technologies (PowerVR GPU)
- Multiple CVEs including CVE-2024-49739 and CVE-2024-47891
MediaTek
- CVE-2025-20666 — High-severity issue in MediaTek modem components
Qualcomm
Multiple issues including:
- CVE-2025-21467 and CVE-2025-21468 — High-risk flaws affecting camera and location services
- Vulnerabilities in closed-source Qualcomm components
Google Play Protect and Platform-Level Defenses
Google emphasizes the importance of Google Play Protect, which is:
- Enabled by default on devices with Google Mobile Services
- Designed to detect and warn users about Potentially Harmful Applications (PHAs)
- A vital layer of defense, especially for users installing apps from outside the Play Store
In addition, Google notes that newer Android versions include enhanced mitigations that make exploitation harder.
How to Check Your Security Patch Level
Users can check and update their Android version to ensure they have the latest protection. Devices with the following patch strings are considered secure:
- [ro.build.version.security_patch]:[2025-05-01]
- [ro.build.version.security_patch]:[2025-05-05]
Google encourages device manufacturers to bundle all fixes in a single OTA update for streamlined user security.
Conclusion
CVE-2025-27363 remains the only vulnerability in the May 2025 Android Security Bulletin confirmed to be actively exploited, highlighting the urgency for users to apply updates without delay, particularly those using Android 10 or later. Google has announced that corresponding patches will be made available in the Android Open Source Project (AOSP) within 48 hours.
Users are strongly encouraged to check their device’s security patch level and install the latest updates as soon as they become available. Full technical details, patch information, and related resources can be found in the official Android Security Bulletin—May 2025 on the Android developer portal.
