Article illustration 1

Google has rolled out its September 2025 security update for Android, patching 84 vulnerabilities—two of which are confirmed as actively exploited zero-day flaws in the wild. This release underscores escalating threats to mobile ecosystems, with attackers targeting kernel and runtime weaknesses to hijack devices. The exploited vulnerabilities, CVE-2025-38352 and CVE-2025-48543, pose severe risks: one destabilizes the Linux kernel via a race condition, while the other bypasses Android Runtime sandboxing to elevate privileges. Google noted "limited, targeted exploitation" but withheld specifics, highlighting the stealthy nature of these attacks.

The Exploited Vulnerabilities: A Technical Breakdown

  • CVE-2025-38352: A Linux kernel flaw (initially disclosed in July 2025) involving a race condition in POSIX CPU timers. Disrupting task cleanup can crash systems or enable privilege escalation. Patched in kernel versions 6.12.35-1 and later.
  • CVE-2025-48543: An elevation of privilege bug in Android Runtime, where Java/Kotlin apps execute. Malicious apps could escape sandbox restrictions to access sensitive system functions.

Critical Remote Code Execution Risks

Beyond the zero-days, four critical-severity flaws demand attention:
- CVE-2025-48539: Allows unauthenticated attackers within Bluetooth/WiFi range to execute arbitrary code via Android's System component—no user interaction needed.
- Qualcomm-specific flaws (CVE-2025-21450, CVE-2025-21483, CVE-2025-27034): These impact proprietary components, with CVE-2025-21483 enabling RCE through malformed video packet reassembly. As Qualcomm's advisory explains:

"CVE-2025-21483 triggers out-of-bounds writes during RTP packet processing, corrupting memory remotely."
Similarly, CVE-2025-27034 exploits modem baseband weaknesses during network responses.

Scope and Urgency

This update affects Android 13 through 16, with 27 additional Qualcomm fixes bringing the total to 111 patches. MediaTek device users should consult their vendor's bulletin. Google urges immediate installation via Settings > System > Software updates. For Android 12 or older devices, the guidance is stark: replace them or switch to a security-supported OS like a third-party ROM.

Samsung has also released complementary fixes for its One UI components, emphasizing the collaborative defense needed in today's fragmented landscape. With over 46% of environments now vulnerable to password cracking—as noted in unrelated research—this Android update is a crucial countermeasure against evolving exploits. It’s a reminder that in mobile security, delays aren’t just inconvenient; they’re an open door for attackers.

Source: BleepingComputer