Close Menu

    Google Rolls Out May 2025 Android Security Bulletin, Fixes 46 Vulnerabilities Including CVE-2025-27363

    Android Security Bulletin

    Google has published its Android Security Bulletin for May 2025, delivering critical updates to the Android ecosystem. This monthly update resolves 46 vulnerabilities, one of which—CVE-2025-27363—has already been exploited in the wild. 

    CVE-2025-27363, a high-severity vulnerability with a CVSS score of 8.1, lies at the core of Google’s May 2025 Android Security Bulletin. Located in the Android System component, this flaw enables local code execution without requiring elevated privileges or user interaction, posing a serious risk to device integrity, particularly if platform and service mitigations are bypassed.  

    The vulnerability, which stems from the widely used FreeType open-source font rendering library, was first identified by Facebook researchers in March 2025 and has since been observed in limited, targeted exploitation.  

    Google described it as the most critical issue addressed in this update, stating, “The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed,” in its advisory released on May 5, 2025. 

    Key Details from the May 2025 Android Security Bulletin 

    The May bulletin breaks down the vulnerabilities into two patch levels: 

    • 2025-05-01 Security Patch Level 
    • 2025-05-05 Security Patch Level 

    Devices that receive the 2025-05-05 update will also be protected from all previously disclosed issues. 

    Highlights from the bulletin include 

    • 46 vulnerabilities addressed across core components like System, Framework, Kernel, and third-party hardware drivers. 
    • Android partners were informed at least a month in advance of the bulletin’s publication. 
    • Source code patches will be released into the Android Open Source Project (AOSP) within 48 hours of publication. 

    Other High-Severity Vulnerabilities Patched 

    Apart from CVE-2025-27363, several other critical issues have been resolved. These include: 

    Framework Vulnerabilities (Examples) 

    • CVE-2025-0087 — Elevation of Privilege (EoP) affecting Android versions 13, 14, and 15.
    • CVE-2025-26426 — EoP issue impacting Android 13, 14, and 15.

    System Component Vulnerabilities

    • CVE-2025-26420, CVE-2025-26421 — High-severity EoP bugs patched in multiple versions.
    • CVE-2025-26430 — Local EoP affecting Android 15.

    Google Play System Updates 

    Fixes for issues in: 

    • Documents UI 
    • Permission Controller 
    • WiFi subsystem 

    Third-Party Component Vulnerabilities 

    The bulletin also lists vulnerabilities tied to hardware vendors and chipset manufacturers. These include: 

    Arm (Mali GPU Drivers) 

    • CVE-2025-0072 
    • CVE-2025-0427 

    Imagination Technologies (PowerVR GPU) 

    • Multiple CVEs including CVE-2024-49739 and CVE-2024-47891 

    MediaTek 

    • CVE-2025-20666 — High-severity issue in MediaTek modem components 

    Qualcomm 

    Multiple issues including: 

    • CVE-2025-21467 and CVE-2025-21468 — High-risk flaws affecting camera and location services 
    • Vulnerabilities in closed-source Qualcomm components 

    Google Play Protect and Platform-Level Defenses 

    Google emphasizes the importance of Google Play Protect, which is: 

    • Enabled by default on devices with Google Mobile Services 
    • Designed to detect and warn users about Potentially Harmful Applications (PHAs) 
    • A vital layer of defense, especially for users installing apps from outside the Play Store 

    In addition, Google notes that newer Android versions include enhanced mitigations that make exploitation harder. 

    How to Check Your Security Patch Level 

    Users can check and update their Android version to ensure they have the latest protection. Devices with the following patch strings are considered secure: 

    • [ro.build.version.security_patch]:[2025-05-01] 
    • [ro.build.version.security_patch]:[2025-05-05] 

    Google encourages device manufacturers to bundle all fixes in a single OTA update for streamlined user security. 

    Conclusion  

    CVE-2025-27363 remains the only vulnerability in the May 2025 Android Security Bulletin confirmed to be actively exploited, highlighting the urgency for users to apply updates without delay, particularly those using Android 10 or later. Google has announced that corresponding patches will be made available in the Android Open Source Project (AOSP) within 48 hours. 

    Users are strongly encouraged to check their device’s security patch level and install the latest updates as soon as they become available. Full technical details, patch information, and related resources can be found in the official Android Security Bulletin—May 2025 on the Android developer portal. 

    Source: Read More

    Related Posts

    Leave A Reply