In its latest Android Security Bulletin, Google has confirmed the patching of 111 unique security vulnerabilities, including two zero-day vulnerabilities that were actively exploited in targeted attacks. The most concerning of these involve CVE-2025-48543, a flaw in Android Runtime, and CVE-2025-38352, a bug in the Linux kernel.
According to Google’s advisory, both CVE-2025-48543 and CVE-2025-38352 are elevation of privilege (EoP) vulnerabilities. These flaws enable attackers to gain elevated system privileges on Android devices without requiring any user interaction or additional execution rights.
“There are indications that the following may be under limited, targeted exploitation: CVE-2025-38352, CVE-2025-48543,” Google stated in the bulletin.
While Google has not released specific details on who might be exploiting these bugs or in what contexts, the acknowledgment of active exploitation stresses the severity of these issues. The company urges users to update their devices immediately to ensure they are protected.
CVE-2025-48543: Android Runtime Vulnerability
This vulnerability affects the Android Runtime (ART) component and was rated as “high” in severity. It affects Android versions 13 through 16. An attacker could leverage this flaw to perform local privilege escalation without requiring any user involvement.
The issue has been addressed through Google Play system updates, ensuring that devices with Google Mobile Services (GMS) receive timely protection even outside regular OTA (over-the-air) updates.
CVE-2025-38352: Linux Kernel Race Condition
The second critical vulnerability, CVE-2025-38352, resides in the Linux kernel, specifically in the handling of POSIX CPU timers. It stems from a race condition that could be exploited to escalate privileges locally. The vulnerability was first publicly patched in July 2025, and major Linux distributions have since deployed fixes.
Android devices that integrate this kernel version are also now receiving the fix via the September patch rollout. Google classifies this bug as “high” in severity due to its potential to compromise device integrity with little effort from attackers.
September 2025 Patch Details
The September 2025 Android Security Bulletin includes a comprehensive list of vulnerabilities, categorized by component. The bulletin spans flaws in Android Runtime, Framework, System, Kernel, and third-party components from MediaTek, Qualcomm, Arm, and Imagination Technologies.
One of the most severe vulnerabilities patched this month is CVE-2025-48539, a remote code execution (RCE) flaw in the System component that allows attackers to run code remotely without requiring user interaction.
Breakdown of Vulnerability Types
Of the 111 vulnerabilities addressed:
- A portion are elevation of privilege (EoP) issues, many of which require no user interaction.
- Several denial of service (DoS) vulnerabilities were also patched, including CVE-2025-48538 and CVE-2025-48542, both impacting Android versions 13 through 16.
- The Widevine DRM, WiFi, and Google Play system components also received critical patches.
Mitigations and User Protection
Google’s September 2025 Android update highlights the ongoing threat of privilege escalation attacks, with active exploits like CVE-2025-48543 and CVE-2025-38352 reinforcing the need for timely updates.
While protections like Google Play Protect help mitigate many risks, users are urged to install the latest patches and avoid unverified apps. Developers can expect AOSP patches within 48 hours, and all users should ensure their devices are updated to the 2025-09-05 patch level or later for full security.
