Full Report
Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability. [...]
Analysis Summary
# Vulnerability: Actively Exploited FreeType Heap Buffer Write Vulnerability in Android
## CVE Details
- CVE ID: Not explicitly provided in the context, only referenced as an actively exploited FreeType flaw.
- CVSS Score: Not explicitly provided in the context. (Generally, actively exploited RCEs are considered High/Critical.)
- CWE: Identified as an Out of Bounds Write (CWE related to memory corruption).
## Affected Systems
- Products: FreeType library used in Android.
- Versions: FreeType versions 2.13.0 and below. (Newer versions of FreeType are not vulnerable to this specific flaw).
- Configurations: Affects Android versions 13, 14, and 15, though specific vulnerability applicability across these versions is not detailed. Android 12 and older might still be impacted if fixes are not backported.
## Vulnerability Description
The vulnerability is an Out of Bounds Write located in the FreeType library when parsing font subglyph structures related to TrueType GX or variable font files. The flaw occurs because a signed short value is assigned to an unsigned long, causing an integer wrap-around. This leads to the allocation of a heap buffer that is too small. Subsequently, the attacker can write up to 6 signed long integers out of bounds relative to this allocated buffer, potentially leading to arbitrary code execution.
## Exploitation
- Status: Actively exploited in the wild.
- Complexity: Likely Low to Medium, given it relies on specially crafted font files (e.g., delivered via email or messaging).
- Attack Vector: Likely Network/Adjacent, as exploitation occurs when the system parses a malicious font file.
## Impact
- Confidentiality: High (Implied by potential Arbitrary Code Execution)
- Integrity: High (Implied by potential Arbitrary Code Execution)
- Availability: High (Implied by potential Arbitrary Code Execution leading to system instability or compromise)
## Remediation
### Patches
- Google has released fixes incorporated into the Android Security Bulletins for versions 13, 14, and 15. Users should apply the latest available Android security updates.
### Workarounds
- For users on Android versions older than 13 (which are past OEM support), applying vendor-specific patches is unlikely.
- Recommendation for unsupported devices: Consider migrating to a newer, supported model or moving to a third-party Android distribution that incorporates necessary security fixes.
- Users should be cautious about opening unsolicited attachments or content that might contain malicious font files.
## Detection
- Detection focuses on the software update status. Systems running FreeType versions prior to those patched in recent Android releases are vulnerable.
- Indicators of Compromise (IOCs) specific to this font parsing flaw were not released by Google or Facebook in this summary.
## References
- Vendor Advisories: Refer to the latest relevant monthly Android Security Bulletin.
- Relevant links - defanged:
- bleepingcomputer com/news/security/google-fixes-actively-exploited-freetype-flaw-on-android/