Google has shipped safety updates to deal with 120 safety flaws in its Android working system as a part of its month-to-month fixes for September 2025, together with two points that it mentioned have been exploited in focused assaults.
The vulnerabilities are listed beneath –
- CVE-2025-38352 (CVSS rating: 7.4) – A privilege escalation flaw within the Linux Kernel element
- CVE-2025-48543 (CVSS rating: N/A) – A privilege escalation flaw within the Android Runtime element
Google mentioned each vulnerabilities may result in native escalation of privilege with no further execution privileges wanted. It additionally famous that no person interplay is required for exploitation.
The tech large didn’t reveal how the problems have been weaponized in real-world assaults and if they’re being put to make use of in tandem, however acknowledged there are indications of “restricted, focused exploitation.”
Benoît Sevens of Google’s Menace Evaluation Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, indicating that it might have been abused as a part of focused spy ware assaults.
Additionally patched by Google are a number of distant code execution, privilege escalation, info disclosure, and denial-of-service vulnerabilities impacting Framework and System elements.
Google has launched two safety patch ranges, 2025-09-01 and 2025-09-05, in order to offer flexibility to Android companions to deal with a portion of vulnerabilities which can be comparable throughout all Android units extra rapidly.
“Android companions are inspired to repair all points on this bulletin and use the newest safety patch degree,” Google mentioned.
Final month, the tech large Google launched safety updates to resolve two Qualcomm vulnerabilities — CVE-2025-21479 (CVSS rating: 8.6) and CVE-2025-27038 (CVSS rating: 7.5) — that have been flagged by the chipmaker as actively exploited within the wild.
