Android Security Bulletin – September 2025 Patches Actively Exploited Flaws (CVE-2025-38352 & CVE-2025-48543) and Critical RCE

Google has released the September 2025 Android Security Bulletin, addressing a large set of vulnerabilities across the ecosystem. Devices running Android 10 and later with the 2025-09-05 patch level are protected against all identified threats.

This month’s bulletin includes dozens of vulnerabilities across multiple components, including the Android Framework, System, Kernel, and vendor components from MediaTek, Qualcomm, and Arm.

Google notes: “The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.”

Two vulnerabilities have been flagged as under active exploitation:

• CVE-2025-38352 (CVSS 7.4) – A Linux kernel race condition in posix-cpu-timers that could allow an attacker to trigger kernel instability or denial of service under specific timing scenarios. Google confirmed this issue is being exploited in “limited, targeted attacks.”
• CVE-2025-48543 (High) – A vulnerability in the Android Runtime (ART) that enables local privilege escalation without user interaction. While technical exploitation details remain undisclosed, Google notes that exploitation attempts have been observed in the wild.

Beyond the two exploited flaws, several critical vulnerabilities were patched this month:

• CVE-2025-48539 (Critical, System) – A remote code execution (RCE) flaw in the System component. This vulnerability requires no user interaction and could allow an attacker within proximity (e.g., Wi-Fi or Bluetooth range) to compromise a device completely.
• Multiple Qualcomm closed-source component vulnerabilities were rated as Critical, including CVE-2025-21450, CVE-2025-21483, and CVE-2025-27034. These issues affect proprietary subsystems such as the modem, DSP, and kernel modules, with potential for remote code execution or full system compromise.

Other high-severity vulnerabilities addressed in this bulletin include:

• Privilege escalation flaws in the Framework (e.g., CVE-2025-32324, CVE-2025-48552)
• Denial-of-service issues in System components (e.g., CVE-2025-48550, CVE-2025-48559)
• Vulnerabilities in third-party components like Arm’s Mali GPU, Imagination’s PowerVR, and MediaTek’s modem stack

With multiple critical flaws affecting the System and vendor components, Android users—particularly those handling sensitive data—should apply the latest security updates without delay.

As Google emphasizes, source code patches will be released to the Android Open Source Project (AOSP) within 48 hours, ensuring transparency and enabling device makers to roll out fixes rapidly.

Related Posts:

• Infoblox Uncovers Malicious Wave in .US Domain Registrations
• Android Security Update: Critical RCE Flaw (CVE-2025-48530) in System Component Patched
• Alert: Hunt.io Uncovers SpyNote Android Spyware Disguised as Popular Apps on Open Servers
• Xerox Patches Dozens of Vulnerabilities in FreeFlow Print Server with April 2025 Security Update
• Google Unleashes “Search Live”: Converse with AI in Real-Time for Mobile Search