Google’s latest Android Security Bulletin patches 46 security vulnerabilities impacting Android devices, one of which is a zero-day flaw in FreeType that may be under “limited, targeted exploitation.” The security update for May includes fixes for a range of issues: most are an elevation of privilege flaws, though there are a few information disclosure and denial of service vulnerabilities and one remote code execution bug. All are considered high severity. May’s patch also addresses vulnerabilities with Qualcomm, MediaTek, Arm, and Imagination Technologies components.One active exploitThe zero-day addressed with the latest update is a remote code execution flaw labeled CVE-2025-27363. It impacts FreeType, an open-source font rendering library, and allows attackers to exploit how the program processes certain files. The bug affects FreeType versions 2.13.0 and below and was first reported by security researchers at Facebook in March 2025, though details as to how it has been exploited have not been