Google has released its September security update for Android, which fixes 120 critical vulnerabilities, including two that are actively exploited in real-world attacks. The issues affect the Linux kernel, Android Runtime, Framework, and System components, with the most dangerous bug allowing remote code execution without user intervention.
The company said that two of the vulnerabilities — CVE–2025–38352 (elevation of privilege in Linux Kernel) and CVE-2025–48543 (Android Runtime) — have already been used by attackers in targeted attacks.
The update also fixes a number of code execution, information leakage, and denial of service issues in Framework, System, Widevine DRM, ARM, MediaTek, and Qualcomm components.
Google has released two levels of patches:
2025–09–01 — covers common vulnerabilities that affect most Android devices.
2025–09–05 – Contains all previous fixes and additional patches from chipset manufacturers.
Google Play Protect and Android’s system-wide security mechanisms make exploiting vulnerabilities more difficult, but users are advised to update their devices immediately.
Every month, Google publishes an Android Security Bulletin, which reveals technical details of the vulnerabilities it finds. Partners receive a month’s notice before publication, and patches appear in the AOSP open source code within 48 hours.
The September Android update shows that mobile devices remain a top target for hackers. Smartphone owners should install the latest security level (2025-09-05) to close all critical vulnerabilities and minimize the risk of spyware attacks.
