Google has released the September 2025 security update for Android devices, addressing a total of 84 vulnerabilities, including two actively exploited flaws.
The two flaws that were detected as exploited in zero-day attacks are CVE-2025-38352, an elevation of privilege in the Android kernel, and CVE-2025-48543, also an elevation of privilege problem in the Android Runtime component.
Google noted in its bulletin that there are indications that those two flaws may be under limited, targeted exploitation, without sharing any more details.
The CVE-2025-38352 flaw is a Linux kernel flaw first disclosed on July 22, 2025, fixed in kernel versions 6.12.35-1 and later. It was not previously marked as actively exploited.
The flaw is a race condition in POSIX CPU timers, allowing task cleanup disruption and kernel destabilization, potentially leading to crashes, denial of service, and privilege escalation.
CVE-2025-48543 impacts the Android Runtime, where Java/Kotlin apps and system services execute. It potentially allows a malicious app to bypass sandbox restrictions and access higher-level system capabilities.
Apart from the two actively exploited flaws, Google’s September 2025 update for Android also addresses four critical-severity problems.
The first is CVE-2025-48539, a remote code execution (RCE) problem in Android’s System component.
It allows an attacker within physical or network proximity, such as Bluetooth or WiFi range, to execute arbitrary code on the device without any user interaction or privileges.
The other three critical flaws are CVE-2025-21450, CVE-2025-21483, and CVE-2025-27034, all of which impact Qualcomm’s proprietary components.
According to additional details provided by Qualcomm via its bulletin, CVE-2025-21483 is a memory corruption flaw in the data network stack that occurs when reassembling video (NALUs) from RTP packets.
Attackers can send specially crafted network traffic that triggers out-of-bounds writes, allowing remote code execution without user interaction.
CVE-2025-27034 is an array index validation bug in the multi-mode call processor during PLMN selection from the SOR failed list.
Malicious or malformed network responses can corrupt memory and enable code execution in the modem baseband.
In total, this Android patch release incorporates fixes for 27 Qualcomm components, bringing the total number of fixed flaws to 111. However, these aren’t relevant to devices running on chips from other manufacturers.
For MediaTek-powered devices, details about the latest security fixes are available on the chip vendor’s bulletin.
This latest Android security update covers vulnerabilities impacting Android 13 through 16, though not all flaws impact every version of the mobile OS.
The recommended action is to upgrade to security patch level 2025-09-01 or 2025-09-05 by navigating Settings > System > Software updates > System update > and clicking ‘Check for update.’
Users running Android 12 and earlier should replace their device with a newer model that is actively supported, or use a third-party Android distribution that incorporates the latest security updates.
Samsung has also released its September maintenance update for its flagship devices, including fixes for flaws specific to its custom components, such as One UI.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
