Android has released its most extensive patch bundle of the year, outpacing the traditional “Patch Tuesday” cycle. In response to reports of active exploitation of two vulnerabilities, the system received 120 fixes at once — a record number for 2025. By contrast, no updates were issued in July, yet September’s release addresses multiple critical flaws.
Particular attention centers on two highly dangerous bugs. CVE-2025-38352 affects the Linux kernel at the heart of the OS, while CVE-2025-48543 was identified in the runtime environment where Android applications execute. Both vulnerabilities allow local privilege escalation without user interaction. Google did not specify who is exploiting these flaws or how, though the language in its report hints at possible ties to companies developing surveillance tools. Experts at the University of Toronto’s Citizen Lab stated they had not yet observed exploitation, but CERT Hong Kong issued its own warning, confirming evidence of “limited, targeted attacks.”
Beyond these Android vulnerabilities, September’s patch set addresses three critical flaws in Qualcomm’s proprietary components. CVE-2025-21450 (CVSS 9.1) impacts the GPS management system, CVE-2025-21483 targets network stacks, and CVE-2025-27034 affects the multimode call processor. Qualcomm resolved multiple severe issues while reinforcing its support policy: since February, the update window for its components has been extended from four to eight years. By comparison, Google guarantees seven years of support for Pixel 8 and newer models.
Imagination Technologies also received its share of fixes: ten high-risk patches for its PowerVR graphics processors. Within Android itself, a critical remote code execution vulnerability (CVE-2025-48539) in a core system component was closed, underscoring the urgency of immediate updates.
Yet the central challenge remains the pace of update distribution. Google Pixel owners receive patches promptly, but the lineup represents only about four percent of the U.S. market. Major players such as Samsung and Motorola will roll out fixes according to their own schedules, with no firm timelines announced.
In sum, September’s Android release stands as the most sweeping of the year, reflecting a stark reality: vulnerabilities are being actively exploited, making the speed of patch delivery absolutely critical. For now, the gulf between the timely support of “pure” Android and the uneven practices of other manufacturers continues to be one of the ecosystem’s most pressing concerns.
