Leaky Android. Google Releases 120 Patches and Someone is Using Vulnerabilities in Your Smartphone Right Now
CVE‑2025‑38352 and CVE‑2025‑48543 are already in play.
CVE‑2025‑38352 and CVE‑2025‑48543 are already in play.
Android has released its largest set of fixes this year, breaking from the traditional "Patch Tuesday" cycle. Following reports of active exploitation of two vulnerabilities, the system received a total of 120 patches—a record number for 2025. For comparison: the platform did not release a single update in July, but the September release addresses critical issues.
Two high-severity bugs are drawing particular attention. CVE-2025-38352 affects the Linux kernel, the foundation of the OS, and CVE-2025-48543 was found in the runtime environment where Android applications operate. Both errors allow for local privilege escalation without user interaction. Google did not specify who exactly is using these holes or how, but the wording in the report hints at the possible involvement of companies developing spyware solutions. At the University of Toronto, specialists from Citizen Lab stated that they have not yet recorded the exploitation of these bugs. However, the Hong Kong CERT issued its own warning and confirmed signs of "limited targeted attacks."
In addition to these Android vulnerabilities, the September package fixes three critical errors in proprietary Qualcomm components. CVE-2025-21450 (CVSS score 9.1) relates to the GPS management system, CVE-2025-21483 affects network stacks, and CVE-2025-27034 is linked to the multi-mode call processor. In total, Qualcomm resolved several serious issues at once, while continuing to strengthen its support policy: since February, the update support period for its components has been increased from four to eight years. For comparison, Google guarantees seven years of support for the Pixel 8 line and newer models.
Imagination Technologies also received its share of fixes: ten high-risk patches for PowerVR graphics processors. Furthermore, a critical remote code execution vulnerability in a system component (CVE-2025-48539) has been fixed in Android itself, requiring immediate installation of the update.
However, the key problem remains the speed of update distribution. Google Pixel owners receive patches promptly, but this line accounts for only about four percent of the US market. Major players—Samsung and Motorola—will implement the fixes on their own schedules. The release timelines for these updates have not yet been announced.
Thus, the September Android release has become the largest since the beginning of the year and immediately reflects new realities: vulnerabilities are being actively attacked, which means the speed of delivering updates is critical. For now, the gap between the timely support of "pure" Android and the practices of other manufacturers remains one of the ecosystem's main problems.
