Google has released its September 2025 Android security update, fixing a staggering 120 vulnerabilities across various components of the mobile OS. Among them are two high-risk flaws that Google confirmed have been exploited in limited, targeted attacks—CVE-2025-38352 in the Linux Kernel and CVE-2025-48543 in Android Runtime.
Both zero-day vulnerabilities enable local privilege escalation without requiring user interaction or additional execution privileges. CVE-2025-38352, rated 7.4 on the CVSS scale, was discovered by Benoît Sevens of Google’s Threat Analysis Group (TAG), suggesting its possible use in surveillance-related campaigns. CVE-2025-48543 has yet to receive a public CVSS score but shares a similar threat profile.
Although Google has not disclosed how these flaws have been used in the wild, the acknowledgment of “limited, targeted exploitation” points to potential deployment in spyware or nation-state-level intrusions. The lack of detail is consistent with Google’s policy of restricting technical information while threats are still active or being investigated.
In addition to these zero-days, the update includes patches for other critical vulnerabilities across Android’s Framework and System components, including remote code execution (RCE), information disclosure, denial-of-service (DoS), and more privilege escalation bugs.
To help Android partners respond efficiently, Google issued two patch levels: 2025-09-01 and 2025-09-05. The staggered rollout allows manufacturers to prioritize fixes that apply universally across Android devices while continuing work on more device-specific patches.
This update follows Google’s August 2025 patch, which resolved two actively exploited Qualcomm vulnerabilities (CVE-2025-21479 and CVE-2025-27038). The back-to-back disclosures underscore the persistent threat posed by sophisticated attackers targeting Android at both the OS and hardware levels.
