https://source.android.com/docs/security/bulletin/2025-09-01
Google has released its September 2025 Android security update, the largest patch bundle of the year containing fixes for 84 vulnerabilities, including two high-severity flaws that are being actively exploited in targeted attacks. The update addresses CVE-2025-38352, a Linux kernel race condition vulnerability affecting POSIX CPU timers that can lead to privilege escalation, and CVE-2025-48543, an Android Runtime flaw that allows malicious applications to bypass sandbox restrictions and access higher-level system capabilities without user interaction or special privileges.
The security bulletin indicates both vulnerabilities are under “limited, targeted exploitation,” though Google has declined to specify the attackers or attack methods involved. The language suggests potential use by surveillanceware companies, with the Hong Kong Computer Emergency Response Team echoing Google’s warning about scattered exploitation of both flaws. CVE-2025-38352 was originally disclosed on July 22, 2025, as a Linux kernel vulnerability that was fixed in kernel versions 6.12.35-1 and later, but was not previously flagged as actively exploited until now.
Beyond the two zero-day exploits, the September update includes four critical-severity vulnerabilities, with CVE-2025-48539 representing a particularly dangerous remote code execution flaw in Android’s System component that allows attackers within physical or network proximity to execute arbitrary code without any user interaction. Three additional critical flaws affect Qualcomm’s proprietary components, including CVE-2025-21483, a memory corruption issue in the data network stack that can be triggered by specially crafted network traffic, and CVE-2025-27034, an array index validation bug in the multi-mode call processor. The update incorporates fixes for 27 Qualcomm components, bringing the total number of addressed vulnerabilities to 111, though these Qualcomm-specific patches only apply to devices using those chipsets. While Google Pixel users will receive immediate updates, the broader Android ecosystem faces deployment delays as manufacturers like Samsung and Motorola typically roll out security patches according to their own schedules, potentially leaving millions of devices vulnerable during the interim period.