Android is under attack — again. Google confirmed as much this week, before issuing an immediate update for its Pixel phones. Now Samsung has done the same, releasing details of its May security update with the fix included. There’s a nasty twist with this one, though, with Samsung’s phones particularly vulnerable to the attack.
Meta was first to disclose CVE-2025-27363, detailing an arbitrary code execution vulnerability in FreeType font rendering software that “may have been exploited in the wild.” Now Google says Android phones have been attacked.
The twist is that Android’s security bulletin says the fix only applies to Android 13 and 14, suggesting Android 15 has already been addressed. That means Samsungs are vulnerable where Pixels are not, given that the Galaxy-maker was late to the party with One UI 7’s Android 15 rollout, and millions of phones have not yet been upgraded.
Now America’s cyber defense agency has issued an update warning for all affected devices, with a May 27 deadline to either update or stop using phones. The formal mandate applies just to U.S. federal employees, but CISA’s remit is “to help every organization better manage vulnerabilities and keep pace with threat activity.”
The good news with this vulnerability and fix is that Samsung has been almost as fast as Google in confirming the fix. That’s not always the case. We have seen multiple occasions where Samsungs have run a month behind Pixels with these updates, even with a CIAS mandate in place which Samsung devices have missed.
Clearly, this only applies to those Galaxy phones yet to upgrade to Android 15, and that upgrade satisfies the update mandate per Android’s security bulletin. If you’re sticking with Android 14 for now — by choice or otherwise, then ensure you apply the update as soon as it’s made available for your model, region and carrier. You should be able to meet the deadline, given it’s late in the month.
CISA warns that “FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.”
Google explains this “could lead to local code execution with no additional execution privileges needed,” and that “user interaction is not needed for exploitation.”
All of which means you need to take this seriously.
