Google has released its December 2025 Android security update, confirming that two of the vulnerabilities patched this month were actively exploited in limited, targeted attacks. The company urges users to install the latest update as soon as it becomes available on their devices.
Two Zero-Days Under Active Exploitation
The exploited flaws, tracked as CVE-2025-48633 and CVE-2025-48572, affect Android’s Framework component. According to Google, one vulnerability could enable information disclosure, while the other could allow elevation of privilege, potentially giving attackers unauthorized access to sensitive system functions.
While Google has not disclosed technical details about the attacks, the wording of the advisory suggests the zero-days may have been leveraged by a commercial spyware operator, consistent with previous targeted campaigns. The flaws impact Android versions 13 through 16.
Part of a Larger Patch Set
The two exploited vulnerabilities were fixed in the 2025-12-01 security patch level, which includes 51 patches for issues found in the Framework and System components. Google described the most severe among them as a critical bug in the Framework component that could lead to remote denial of service without requiring additional permissions from the attacker.
In total, Google addressed 107 vulnerabilities across Android this month. The second half of the update — delivered as the 2025-12-05 security patch level — includes fixes covering the kernel, as well as components from Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm.
No Google Play, Automotive, or Wear OS Fixes This Month
Unlike previous months, the December 2025 bulletin includes no security fixes for Google Play system updates, Android Automotive OS, or Wear OS, with all patches consolidated into the standard Android update.
Google notes that any device running the 2025-12-05 security patch level or later has all fixes included in this month’s update, along with those from previous bulletins.
Users are advised to apply the update promptly to reduce exposure to ongoing targeted attacks exploiting the two zero-day vulnerabilities.
