Overview

• Google’s bulletin credits CVE-2025-38352 in the Linux kernel and CVE-2025-48543 in Android Runtime as the two zero‑days under limited, targeted exploitation, both enabling local privilege escalation without user interaction.
• The release also addresses a critical System vulnerability, CVE-2025-48539, that allows remote code execution with no extra privileges or user action required.
• Two patch levels, 2025-09-01 and 2025-09-05, are available to help partners stage fixes across device lines, with AOSP source updates slated to be posted by Thursday.
• Benoît Sevens of Google’s Threat Analysis Group is credited with discovering CVE-2025-38352, underscoring TAG’s role in identifying targeted attacks against Android users.
• Component updates span the kernel and multiple vendors, including 32 Qualcomm issues (27 in closed‑source components) with three proprietary Qualcomm CVEs rated critical, plus fixes for Arm, Imagination Technologies, MediaTek, and Widevine.