Sign in Subscribe

Google Patches 120 Vulnerabilities in Android, Including Two 0-days

Google Patches 120 Vulnerabilities in Android, Including Two 0-days

Google developers have released security updates for Android that fix 120 vulnerabilities in the operating system. According to the company, two of these issues have already been used by hackers in targeted attacks.

The 0-days patched this month have been assigned the identifiers CVE-2025-38352 (7.4 out of 10 on the CVSS scale)—a privilege escalation flaw in the Linux Kernel component—and CVE-2025-48543—a privilege escalation flaw in the Android Runtime component.

Google notes that these vulnerabilities are already being used in limited, targeted attacks; however, the company does not disclose any details about these incidents. It is reported that exploiting these vulnerabilities requires no user interaction.

CVE-2025-38352 is a vulnerability in the Linux kernel that was discovered on July 22, 2025, and patched in kernel versions 6.12.35-1 and later. The issue is related to a race condition in POSIX CPU timers and causes issues in the task cleanup procedure, destabilizing the kernel, which can lead to crashes, denial of service, and privilege escalation.

CVE-2025-48543, in turn, affects the Android Runtime, where Java/Kotlin applications and system services run. It potentially allows a malicious application to bypass sandbox protection and gain access to higher-level system capabilities.

In addition to the two actively exploited 0-days, the September update fixed four critical bugs.

  • CVE-2025-48539: A remote code execution (RCE) flaw in the Android System component. It allows an attacker within physical or network proximity (e.g., within Bluetooth or Wi-Fi range) to execute arbitrary code on the device without any user interaction or privileges.
  • CVE-2025-21450, CVE-2025-21483, and CVE-2025-27034: Affect proprietary Qualcomm components. According to details provided by Qualcomm in its own security bulletin, CVE-2025-21450 is related to the GPS management system, CVE-2025-21483 covers issues with network data stacks, and CVE-2025-27034 is related to an issue in the multi-mode call processor.

Google has traditionally prepared two patch levels: 2025-09-01 and 2025-09-05, to give partners the opportunity to fix some of the vulnerabilities common to all Android devices more quickly.

Read next