Update your Android! Google patches 111 vulnerabilities, 2 are critical

Google has patched 111 vulnerabilities in Android, including two critical flaws, in its September 2025 Android Security Bulletin.

While the last few months have been quite calm regarding the number of vulnerabilities, this month is a real whopper with 111, compared to 6 in August and none in July.

The September updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version you’re on.

If your Android phone shows patch level 2025-09-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical information

Google notes that:

“there are indications that the following may be under limited, targeted exploitation.

CVE-2025-38352

CVE-2025-48543”

But it doesn’t provide any details about how and against whom these vulnerabilities were used. So, let’s have a closer look at those two first.

CVE-2025-38352 is a race condition vulnerability in the Linux kernel time subsystem, which may allow a local attacker to gain an elevation of privilege (EoP).

A race condition vulnerability means that during a moment where different threads (processes or programs) use the same resource, but they are not synchronized, it creates a brief period during which an attacker could exploit the race window.

In this case the resource is the CPU time, the amount of time that a central processing unit (CPU) was used for processing instructions of a computer program or operating system.

A “local attacker” which can also be an installed app or shell could exploit this vulnerability to gain permissions it would normally not get or have.

CVE-2025-48543 is a vulnerability in Android runtime. The Android Runtime (ART) is the system responsible for running applications on Android devices. Basically it translates instructions into machine code which the processor understands. The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

And then there is the vulnerability tracked as CVE-2025-48539. This critical vulnerability was found in the System component and could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed and no user interaction required.

The part where the description says remote (proximal/adjacent) is a bit of a mystery, but our best guess is this means an attacker could compromise a device from a short distance, so it might be by means of Bluetooth, NFC, or Wi-Fi Direct.

This type of vulnerability always makes researchers nervous, because they could be “wormable,” meaning they can spread from one device to the next. And if that is true, they can spread like wildfire in crowded environments like concerts and conferences.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.