Google warned that two actively exploited zero-day vulnerabilities affecting Android devices have been patched in its September security update, which addresses 120 software defects total. 

The zero-days — CVE-2025-38352 affecting the kernel and CVE-2025-48543 affecting Android Runtime — are both high-severity defects that don’t require user interaction for exploitation and could lead to escalation of privilege with no additional execution privileges needed. Google said there are indications that both of the vulnerabilities may be under limited, targeted exploitation.

Google hasn’t included an actively exploited defect in its monthly batch of patches since May. The total number of vulnerabilities disclosed this month is also the highest this year. 

The Android security update contains two patch levels — 2025-09-01 and 2025-09-05 — allowing Android partners to address common vulnerabilities on different devices.

Third-party Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.

The primary security update contains one critical vulnerability affecting the system component, CVE-2025-48539, which could lead to remote code execution. The first patch level also addresses 29 vulnerabilities in the framework, 28 in the system, one defect affecting Widevine DRM components and nine Google Play system updates.

The second patch includes fixes for three vulnerabilities affecting the kernel, three Arm components defects, 10 Imagination Technologies bugs and four vulnerabilities affecting MediaTek components. The update also addresses 32 vulnerabilities affecting Qualcomm components, including 27 closed-source components. 

Three of the vulnerabilities affecting Qualcomm’s proprietary components — CVE-2025-21450, CVE-2025-21483 and CVE-2025-27034 — are designated as critical.

Google said source code patches for all vulnerabilities addressed in this month’s security update will be released to the Android Open Source Project repository by Thursday.

The post Google patches two Android zero-days, 120 defects total in September security update appeared first on CyberScoop.