Google patches two Android zero-days, 120 defects complete in September safety replace

Google warned that two actively exploited zero-day vulnerabilities affecting Android units have been patched in its September security update, which addresses 120 software program defects complete. 

The zero-days — CVE-2025-38352 affecting the kernel and CVE-2025-48543 affecting Android Runtime — are each high-severity defects that don’t require consumer interplay for exploitation and will result in escalation of privilege with no further execution privileges wanted. Google mentioned there are indications that each of the vulnerabilities could also be underneath restricted, focused exploitation.

Google hasn’t included an actively exploited defect in its month-to-month batch of patches since May. The complete variety of vulnerabilities disclosed this month can be the best this 12 months. 

The Android safety replace incorporates two patch ranges — 2025-09-01 and 2025-09-05 — permitting Android companions to handle widespread vulnerabilities on completely different units.

Third-party Android gadget producers launch safety patches on their very own schedule after they’ve personalized working system updates for his or her particular {hardware}.

The main safety replace incorporates one vital vulnerability affecting the system element, CVE-2025-48539, which may result in distant code execution. The first patch degree additionally addresses 29 vulnerabilities within the framework, 28 within the system, one defect affecting Widevine DRM elements and 9 Google Play system updates.

The second patch consists of fixes for 3 vulnerabilities affecting the kernel, three Arm elements defects, 10 Imagination Technologies bugs and 4 vulnerabilities affecting MediaTek elements. The replace additionally addresses 32 vulnerabilities affecting Qualcomm components, together with 27 closed-source elements. 

Three of the vulnerabilities affecting Qualcomm’s proprietary elements — CVE-2025-21450, CVE-2025-21483 and CVE-2025-27034 — are designated as vital.

Google mentioned supply code patches for all vulnerabilities addressed on this month’s safety replace shall be launched to the Android Open Source Project repository by Thursday.