Google has issued a critical warning for all Android users, confirming that two separate vulnerabilities have been exploited in the wild. Such is the seriousness of its security update this month, that Google will quickly fix all eligible Pixel devices.
The two high-severity vulnerabilities that have been exploited — CVE-2025-38352 and CVE-2025-48543 — affect the Android Kernel and Android Runtime respectively. As ever, Google has not issued any material detail at this early stage.
There are also four other critical fixes — CVE-2025-48539, CVE-2025-21450, CVE-2025-21483 and CVE-2025-27034. The first is an Android System issue, whilst the other three relate to Qualcomm chipsets and the release of manufacturer fixes.
Google says CVE-2025-48543 and CVE-2025-48543 are deeply concerning, and both “could lead to local escalation of privilege with no additional execution privileges needed.” More alarmingly, “user interaction is not needed for exploitation.”
Whilst Pixels will be updated immediately, other OEMs will receive code patches “in the next 48 hours” and will need to update their own monthly bulletins and firmware releases. You can expect the usual deployment schedule over the coming weeks.
A timely reminder that only devices still eligible for monthly security updates will receive these fixes. Upwards of a billion Android phones are no longer on any form of support contract, and many are running versions of Android that can’t be updated.
This is exactly why owners of these older devices are urged to upgrade their phones if they can’t update their software. Until you do, your data and your device are at risk.
As Zimperium warns, “a significant percentage (25.3%) of devices are not upgradeable due to the device’s age.” And delayed updates makes that problem worse. “At any given point in the year, over 50% of mobile devices are running outdated OS versions, and a significant number are compromised or infected.”