Android Security Update – Critical Patch Released for Actively Exploited Vulnerability
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Google has released the Android Security Bulletin for May 2025, addressing multiple vulnerabilities, including a high-severity remote code execution flaw that is actively being exploited in the wild.
The most severe issue identified in the May 2025 security patch is CVE-2025-27363, a high-severity vulnerability in the System component.
This flaw could lead to local code execution with no additional execution privileges needed,d and user interaction is not needed for exploitation.
Security researchers urge all Android users to update their devices immediately to protect against these potential threats.
Active Exploitation of High-Severity Android Flaw (CVE-2025-27363)
Google has confirmed that there are “indications that CVE-2025-27363 may be under limited, targeted exploitation”.
This acknowledgment of active exploitation elevates the urgency for users to apply the security patch as soon as possible. According to the patch details provided in the security bulletin, the vulnerability affects Android versions 13 and 14.
Technical analysis reveals that CVE-2025-27363 stems from an out-of-bounds write vulnerability in the FreeType font rendering library, specifically in versions 2.13.0 and earlier.
The vulnerability exists when the system attempts to parse font subglyph structures related to TrueType GX and variable font files.
Security experts explain that “the vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer”.
This memory corruption can potentially result in arbitrary code execution. This vulnerability is particularly concerning since FreeType is widely used, with deployment on over a billion devices across various products.
Risk Factors Details Affected ProductsFreeType library versions ≤2.13.0ImpactArbitrary code execution via memory corruptionExploit Prerequisites– Vulnerable FreeType version- Processing malicious TrueType GX/variable font files- No user interaction requiredCVSS 3.1 Score8.1 (High)
Google’s Security Patch Levels
Google has implemented security patch levels to help users and manufacturers identify which vulnerabilities have been addressed.
The security patch level 2025-05-05 or later addresses this critical vulnerability and other security issues identified in the bulletin.
Android users are strongly encouraged to check their device’s security patch level and update immediately. This can be done by following these steps:
For devices running Android 10 or later, users can also check for Google Play system updates, which may include security patches for some components.
The May 2025 Android Security Bulletin demonstrates the ongoing need for vigilance in mobile security and the importance of keeping devices updated with the latest security patches.
#Android #Cyber_Security #Cyber_Security_News #Security_Updates #Vulnerability
Оригинальная версия на сайте:
Android Security Update – Critical Patch Released for Actively Exploited Vulnerability
Author: Guru BaranGoogle has released the Android Security Bulletin for May 2025, addressing multiple vulnerabilities, including a high-severity remote code execution flaw that is actively being exploited in the wild.
The most severe issue identified in the May 2025 security patch is CVE-2025-27363, a high-severity vulnerability in the System component.
This flaw could lead to local code execution with no additional execution privileges needed,d and user interaction is not needed for exploitation.
Security researchers urge all Android users to update their devices immediately to protect against these potential threats.
Active Exploitation of High-Severity Android Flaw (CVE-2025-27363)
Google has confirmed that there are “indications that CVE-2025-27363 may be under limited, targeted exploitation”.
This acknowledgment of active exploitation elevates the urgency for users to apply the security patch as soon as possible. According to the patch details provided in the security bulletin, the vulnerability affects Android versions 13 and 14.
Technical analysis reveals that CVE-2025-27363 stems from an out-of-bounds write vulnerability in the FreeType font rendering library, specifically in versions 2.13.0 and earlier.
The vulnerability exists when the system attempts to parse font subglyph structures related to TrueType GX and variable font files.
Security experts explain that “the vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer”.
This memory corruption can potentially result in arbitrary code execution. This vulnerability is particularly concerning since FreeType is widely used, with deployment on over a billion devices across various products.
Risk Factors Details Affected ProductsFreeType library versions ≤2.13.0ImpactArbitrary code execution via memory corruptionExploit Prerequisites– Vulnerable FreeType version- Processing malicious TrueType GX/variable font files- No user interaction requiredCVSS 3.1 Score8.1 (High)
Google’s Security Patch Levels
Google has implemented security patch levels to help users and manufacturers identify which vulnerabilities have been addressed.
The security patch level 2025-05-05 or later addresses this critical vulnerability and other security issues identified in the bulletin.
Android users are strongly encouraged to check their device’s security patch level and update immediately. This can be done by following these steps:
- Go to Settings.
- Select About phone.
- Check the Android version and Security patch level.
For devices running Android 10 or later, users can also check for Google Play system updates, which may include security patches for some components.
The May 2025 Android Security Bulletin demonstrates the ongoing need for vigilance in mobile security and the importance of keeping devices updated with the latest security patches.
#Android #Cyber_Security #Cyber_Security_News #Security_Updates #Vulnerability
Оригинальная версия на сайте:
