Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.
The vulnerabilities are listed below –
- CVE-2025-38352 (CVSS score: 7.4) – A privilege escalation flaw in the Linux Kernel component
- CVE-2025-48543 (CVSS score: N/A) – A privilege escalation flaw in the Android Runtime component
Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.
The tech giant did not reveal how the issues have been weaponized in real-world attacks and if they are being put to use in tandem, but acknowledged there are indications of “limited, targeted exploitation.”
Benoît Sevens of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, indicating that it may have been abused as part of targeted spyware attacks.
Also patched by Google are several remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities impacting Framework and System components.
Google has released two security patch levels, 2025-09-01 and 2025-09-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.
“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level,” Google said.
Last month, the tech giant Google released security updates to resolve two Qualcomm vulnerabilities — CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5) — that were flagged by the chipmaker as actively exploited in the wild.
