Google has confirmed that CVE-2025-27363, an out-of-bounds write vulnerability in the FreeType font rendering library (versions 2.13.0 and earlier), is under limited, targeted exploitation. The flaw affects Android 13 and 14 and arises from improper memory allocation during the parsing of TrueType GX and variable font files, which could lead to arbitrary code execution. Given FreeType’s widespread use across over a billion devices, users are urged to apply the latest security patch immediately to mitigate potential risks.

‍