Critical Android vulnerabilities patched—update as soon as you can

Google has patched six vulnerabilities in Android, including two critical vulnerabilities in its August 2025 Android Security Bulletin. It also covers a critical vulnerability which could have allowed an attacker to execute code on a victim’s device without the victim needing to do anything at all.

Last month, Google skipped its monthly security update for the first time in almost ten years. Normally we’ll see dozens of vulnerabilities addressed each month so the skipping was both welcome and slightly worrying. All this while Google reported that its Artificial Intelligence (AI) Big Sleep system found 20 vulnerabilities in several open-source software.

The August updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-08-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical information

The critical RCE vulnerability is tracked as CVE-2025-48530: a vulnerability in the Android System which could lead to remote code execution in combination with other bugs, with no additional execution privileges needed. User interaction is not needed for exploitation. This makes it a top priority patch–which only affects Android version 16–since it poses the risk of attackers being able to compromise affected devices silently.

The other critical vulnerability is tracked as CVE-2025-21479: unauthorized command execution in GPU micronode can cause memory corruption while executing specific sequence of commands.

A GPU micronode, is a small, specialized part within the Graphics Processing Unit (GPU) that handles specific tasks related to processing and rendering graphics on the Android device. It’s a critical component for making the visuals work smoothly and correctly.

Researchers recently discovered serious vulnerabilities in the GPU micronode of Qualcomm’s Adreno GPUs, which power billions of Android devices. Qualcomm has identified three such vulnerabilities and this patch fixes the second one they warned about.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.