Google releases April 2025 Android security update, patching 57 flaws including critical and actively exploited
Take action: One actively exploited and multiple high severity flaws patched in this release. Plan to update your Android OS as soon as your vendor releases an update for your phone. Depending on the vendor you might wait for some weeks/months before the update is released for your phone.
Learn More
Google has released the May 2025 Android Security Bulletin patching 57 vulnerabilities across multiple subsystems. The update includes fixes for an actively exploited remote code execution vulnerability, which represents an immediate security threat to millions of Android users worldwide.
The most severe issue in this security update is tracked as CVE-2025-27363 (CVSS score 8.1), a remote code execution vulnerability in the System component that could lead to local code execution with no additional execution privileges needed. Google has explicitly noted that "there are indications that CVE-2025-27363 may be under limited, targeted exploitation".
It turns out that CVE-2025-27363 is rooted in the same open-source font rendering library called FreeType that was reported as exploited a couple of months ago.
The May 2025 security update is divided into two patch levels (2025-05-01 and 2025-05-05), containing fixes for:
- Framework (15 vulnerabilities)
- System (9 vulnerabilities)
- Arm components (2 vulnerabilities)
- Imagination Technologies PowerVR-GPU (8 vulnerabilities)
- MediaTek components (1 vulnerability)
- Qualcomm components (5 vulnerabilities)
- Qualcomm closed-source components (6 vulnerabilities)
Devices running Android 13 (2022) and 14 (2023) are particularly vulnerable, with security patch levels prior to 2025-05-05 leaving nearly 40% of active Android devices exposed. Successful exploitation could allow attackers to deploy malware, exfiltrate sensitive data, or gain persistent access through privilege escalation chains.
Several vulnerabilities are also being addressed through Google Play system updates in the following Project Mainline components:
- Documents UI (CVE-2025-26427)
- Permission Controller (CVE-2025-26420, CVE-2025-26425)
- WiFi (CVE-2025-26423)
Google's own Pixel devices will receive these updates immediately, while users of phones from other manufacturers like Samsung, OnePlus, and Motorola may need to wait for their respective vendors to test and implement the patches.
Source code patches for these vulnerabilities will be released to the Android Open Source Project (AOSP) repository within 48 hours of the bulletin's publication.
