Android drops mega patch bomb - 120 fixes, two already exploited

Patch Tuesday is next week, but Android is ahead of the game, dropping its biggest patch bundle this year while attackers actively exploit two of the now-fixed flaws.

This month, the world's most popular mobile operating system pushed out 120 patches, its biggest monthly dump this year. It's a far cry from July, when Android didn't issue a single patch as everything was apparently fine, but in September, two of the flaws may be under "limited, targeted exploitation."

The two biggest concerns are CVE-2025-38352, a high-severity problem with the Linux kernel at the heart of the operating system, and CVE-2025-48543, a high-severity issue with Android's runtime environment hosting apps. An attacker can escalate local privileges with both flaws, without even requiring user interaction.

Google declined to name who is exploiting the flaws or how, but the language suggests that a surveillanceware company is using them to ...