Google’s December Security Update Fixes Two Zero-Day Exploits (and 105 Others)
In its December Android security bulletin, Google offers a particularly large number of updates to fix vulnerabilities in different components, and two of the flaws could have been exploited in the wild.
The December patch covers 107 bugs in the Android kernel, system and framework as well as components from Qualcomm, MediaTek, Arm, Unisoc and Imagination Technologies. High-severity vulnerabilities include denial of service, elevation of privilege, and information disclosure vulnerabilities. There are also a handful of bugs labeled “critical.”
Two active exploits
Two of the vulnerabilities fixed in the December update are zero-day vulnerabilities, which are flaws that were actively exploited or publicly disclosed before the developer made a patch available. Google notes that both may be subject to “limited and targeted exploitation.”
CVE-2025-48633 is an information disclosure vulnerability, while CVE-2025-48572 is an elevation of privilege vulnerability. Both affect Android Framework in versions 13 to 16.
Google has not disclosed any additional information about the flaws and how they may have been exploited (or by whom). However, as Bleeping Computer reports, similar bugs have been targeted in the past by commercial spyware operations and nation-state campaigns.
What do you think of it so far?
Make sure your Android device is up to date
You should always implement security patches as soon as they become available, so if you see an update notification, go ahead and follow the prompts to download and install it. You can also check for updates via a path like Settings > Security & Privacy > System & Updates > Security Update. Note that this may be slightly different depending on your device, and you can always search for “update” to locate it.
This month’s patches apply to versions 13, 14, 15, and 16 of the Android Open Source Project (AOSP) and are dated 12/01/2025 and 12/05/2025, the latter fixes all known issues.
Pixel users (and core AOSP code) are receiving patches from Google, and those on other Android devices from Huawei, LGE, Samsung, Motorola, and Nokia should see updates from their respective manufacturers around the same time.
