Google released its December 2025 Android security update on Monday, addressing a total of 107 vulnerabilities, including two actively exploited zero-day flaws. The update represents the second-highest number of defects patched this year, following the 120 vulnerabilities fixed in September.
The zero-day vulnerabilities — CVE-2025-48633 and CVE-2025-48572 — affect the Android framework. Google warned that attackers could exploit these flaws to access sensitive information or escalate privileges on targeted devices. As of Monday, neither vulnerability had been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) catalog of known exploited vulnerabilities.
The most critical vulnerability in this month’s update, CVE-2025-48631, allows remote denial-of-service attacks without requiring additional execution privileges, highlighting the urgent need for users to apply the patches.
The update is provided in two patch levels — 2025-12-01 and 2025-12-05 — enabling Android partners to integrate fixes across a wide range of devices. Manufacturers release these security patches on their own schedules after tailoring them to specific hardware.
This month’s bulletin addresses:
- 37 framework vulnerabilities, including the critical CVE-2025-48631
- 14 system-level defects
- 9 kernel vulnerabilities, 4 of which are critical
- 2 Arm component flaws
- 4 Imagination Technologies issues
- 17 MediaTek component vulnerabilities
- 13 Unisoc flaws
- 11 Qualcomm component defects, including 2 critical
Google emphasized that the zero-day vulnerabilities may have been subject to limited, targeted exploitation, underscoring the importance of timely updates. The company plans to release source code for all patched vulnerabilities to the Android Open Source Project repository by Wednesday.
Despite occasional months this year with very few reported vulnerabilities, Google continues its ongoing effort to strengthen Android security and address potential exploits across the ecosystem.
