Google’s September 2025 Android security bulletin is out, tackling several high-risk vulnerabilities, including four labeled critical.
As per the company’s latest security bulletin, the September 2025 Android security update tackles 84 vulnerabilities, two of which are already under active exploitation. The zero-day flaws, tracked as CVE-2025-38352 and CVE-2025-48543, include a kernel elevation-of-privilege bug and a runtime flaw that could enable malicious apps to escape sandbox protections and gain elevated system access. Users are urged to apply the patch immediately.
Google confirmed both flaws enable local privilege escalation, meaning they don’t require special permissions or any action from the user to be exploited. While the company hasn’t revealed specific details about the in-the-wild attacks or if the vulnerabilities were chained together, it acknowledged evidence of “limited, targeted exploitation.”
The September security patches tackle multiple high-severity vulnerabilities, ranging from denial-of-service and information disclosure flaws to privilege escalation risks, including one remote code execution bug. The update also resolves issues in components from Qualcomm, MediaTek, Arm, and Imagination Technologies. Four of the patched vulnerabilities are rated critical.
More vulnerabilities could let attackers run code remotely
Beyond the two exploited zero-days, this month’s Android update tackles four critical vulnerabilities. The most severe is CVE-2025-48539, a remote code execution bug in the Android System. An attacker within Bluetooth or Wi-Fi range could exploit this to run malicious code on a device with no user interaction or special privileges required.
A notification to install these security updates should appear soon on your Android phone. This month’s patches cover AOSP versions 13 through 16, with build dates 2025-09-01 and 2025-09-05. For complete coverage of all fixes, make sure you install the 2025-09-05 patch.
While Google rolls out patches for Pixel phones and the core AOSP code, brands like Samsung, Motorola, and Nokia push their own updates for their devices.
To check for updates, go to Settings > Security & Privacy > System & Updates > Security Update, then follow the prompts to download and install any available patch.
