Headline
Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack
Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. The vulnerabilities are listed below -
CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component CVE-2025-48543 (CVSS score: N/A) - A
Mobile Security / Vulnerability
Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.
The vulnerabilities are listed below -
- CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component
- CVE-2025-48543 (CVSS score: N/A) - A privilege escalation flaw in the Android Runtime component
Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.
The tech giant did not reveal how the issues have been weaponized in real-world attacks and if they are being put to use in tandem, but acknowledged there are indications of “limited, targeted exploitation.”
Benoît Sevens of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, indicating that it may have been abused as part of targeted spyware attacks.
Also patched by Google are several remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities impacting Framework and System components.
Google has released two security patch levels, 2025-09-01 and 2025-09-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.
“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level,” Google said.
Last month, the tech giant Google released security updates to resolve two Qualcomm vulnerabilities – CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5) – that were flagged by the chipmaker as actively exploited in the wild.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
Samsung has released its monthly security updates for Android, including a fix for a security vulnerability that it said has been exploited in zero-day attacks. The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution. "Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known "zero-day" or actively exploited vulnerabilities in this month's bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft's most-dire "critical" label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.
Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the
Google has issued updates to patch a whopping 111 Android vulnerabilities, including two actively exploited ones.
Google has patched 6 vulnerabilities in Android including two critical ones, one of which can compromise a device without the user needing to do anything.