Google has released the September 2025 Android security update, addressing more than 80 vulnerabilities, including two zero-day flaws that are already being exploited in attacks.
The first flaw, tracked as CVE-2025-38352, is a local privilege escalation bug in the Android/Linux kernel. It stems from a race condition in POSIX CPU timers and could allow attackers to gain higher system privileges or cause denial of service. The second, CVE-2025-48543, affects the Android Runtime (ART) and lets malicious apps bypass security restrictions to obtain elevated access.
Alongside these zero-days, Google also patched a critical remote code execution (CVE-2025-48539) in the System component, which could let attackers compromise devices through Wi-Fi or Bluetooth without any user interaction. Several Qualcomm-specific vulnerabilities impacting modem and DSP components were also fixed.
The update is available with two patch levels, 2025-09-01 and 2025-09-05, with the latter providing broader protection by covering kernel and vendor issues.
Google said the source code for these fixes will be published on the Android Open Source Project (AOSP) within 48 hours. Users are strongly advised to install the latest updates as soon as they become available.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
