Overview

• The September 2025 bulletin addresses roughly 120 vulnerabilities, the largest monthly total this year, including two zero‑days under limited, targeted exploitation.
• The exploited flaws are CVE-2025-38352 in the Linux kernel and CVE-2025-48543 in Android Runtime, both enabling local privilege escalation without user interaction.
• Google also flagged a critical System bug, CVE-2025-48539, that could allow remote code execution without user interaction or additional privileges.
• Two patch levels, 2025-09-01 and 2025-09-05, are available to help partners remediate shared issues across devices, with Pixels receiving updates promptly.
• Source code fixes are slated for release to the Android Open Source Project by Thursday, and the update includes many vendor component patches, including three critical Qualcomm issues (CVE-2025-21450, CVE-2025-21483, CVE-2025-27034).