Google’s December Security Update Fixes Two Zero-Day Vulnerabilities (and 105 Others)
In its December Android security bulletin, Google pushes a particularly large number of updates to address vulnerabilities in various components, and two of these vulnerabilities may have been exploited by attackers.
The December patch addresses 107 vulnerabilities in the Android kernel, system, and framework, as well as components from Qualcomm, MediaTek, Arm, Unisoc, and Imagination Technologies. High-severity vulnerabilities include denial of service, privilege escalation, and information disclosure. Several bugs are also rated “critical.”
Two active exploits
Two of the vulnerabilities fixed in the December update are zero-day vulnerabilities—those that were actively exploited or publicly disclosed before the developer released a patch. Google notes that both vulnerabilities are susceptible to “limited, targeted exploitation.”
CVE-2025-48633 is an information disclosure vulnerability, and CVE-2025-48572 is a privilege escalation vulnerability. Both vulnerabilities affect Android Framework versions 13 through 16.
Google has not disclosed any further information about these vulnerabilities or how (or by whom) they might have been exploited. However, as Bleeping Computer reports , similar vulnerabilities have previously been targeted by commercial spyware and government campaigns.
Make sure your Android device is up to date
You should always install security updates as soon as they become available. So, if you see a notification that an update is required, follow the instructions to download and install it. You can also check for updates by going to Settings > Security & Privacy > System & Updates > Security Update . Please note that this may vary slightly depending on your device. You can always find the update by searching for “update.”
This month’s patches apply to Android Open Source Project (AOSP) versions 13, 14, 15, and 16, and are dated 12/01/2025 and 12/05/2025. The latter fixes all known issues.
Pixel users (and the core AOSP code) will receive patches from Google, and users of other Android devices from Huawei, LGE, Samsung, Motorola, and Nokia should see updates from their manufacturers around the same time.