Google Patches 107 Android Flaws, Including Two Exploited Zero-Days
Publication date: 2025-12-02
Google has released its December 2025 Android security update, addressing a total of 107 vulnerabilities across the Android platform. Among these are two high-severity flaws in Android’s Framework component that have already been confirmed as exploited in real-world attacks.
The update affects core Android functionality (Framework, System and Kernel) as well as hardware components from major vendors such as Qualcomm, MediaTek, Arm, Unisoc and Imagination Technologies. Although Google has not disclosed exploitation details, it confirmed that there are signs of limited, targeted attacks, a phrase typically associated with advanced surveillance tooling, nation-state activity or specialized exploitation frameworks.
Update: Earlier today we also highlighted GrapheneOS in our Advent Calendar series as a privacy-focused, hardened alternative to stock Android (see post). With actively exploited vulnerabilities now confirmed, interest in security-first mobile operating systems is no longer theoretical. One recent example is CVE-2025-48593, which demonstrates how privilege escalation flaws continue to surface at system level. For users looking to reduce attack surface beyond patching alone, GrapheneOS represents a serious defensive option on supported Pixel devices.
Two Framework Vulnerabilities Actively Exploited
The two zero-days confirmed as exploited both affect Android’s Framework layer, which sits beneath applications and above the kernel:
CVE-2025-48633 allows information disclosure, potentially exposing sensitive internal device or application data. This may include internal system data, application content or metadata that should not be accessible without authorization.
CVE-2025-48572 enables elevation of privilege, allowing attackers to break out of standard app restrictions and gain unauthorized capabilities on the device. In practice, this type of flaw can make it possible to bypass sandboxing, manipulate system features or establish persistent access.
Both vulnerabilities affect Android versions 13, 14, 15 and 16. While Google has not attributed the attacks, the limited-exploitation language strongly suggests they were not opportunistic but deliberately deployed in targeted operations.
Critical Vulnerabilities Overview
In addition to the two exploited weaknesses, Google patched several critical issues across the Android ecosystem.
Critical Vulnerabilities (December 2025)
| CVE ID | Component | Type | Impact |
|---|---|---|---|
| CVE-2025-48633 | Framework | Information Disclosure | Data leakage and exposure of sensitive system and app information. |
| CVE-2025-48572 | Framework | Elevation of Privilege | Attacker gains higher permissions and may escape the app sandbox. |
| CVE-2025-48631 | Framework | Denial of Service | Remote device crash without special privileges or user interaction. |
| CVE-2025-48623 | Kernel (pKVM) | Elevation of Privilege | Potential kernel-level compromise via virtualization. |
| CVE-2025-48624 | Kernel (IOMMU) | Elevation of Privilege | Possible memory isolation bypass. |
| CVE-2025-48637 | Kernel (pKVM) | Elevation of Privilege | Escalation risk through virtualization. |
| CVE-2025-48638 | Kernel (pKVM) | Elevation of Privilege | Guest-to-host escape risk and deeper system compromise. |
Kernel and Hardware Vendor Exposure
The second wave of fixes (the 2025-12-05 patch level) includes security updates to Android’s Linux kernel and third-party chipset drivers. Several critical and high-severity issues were found in virtualization components and networking subsystems, which could allow attackers with local access to escalate privileges to kernel level.
Fixes were also issued for components supplied by Qualcomm, MediaTek, Unisoc, Arm and Imagination Technologies. These cover areas such as GPU drivers, modem firmware and bootloaders. Because these patches are integrated by device manufacturers, rollout speed can vary significantly, and older or lower-cost devices may never receive the updates.
Why This Update Matters
Modern Android exploitation operates quietly and precisely. Framework and kernel vulnerabilities give attackers a way to operate beyond application boundaries, often without leaving obvious traces for the user. Once exploited, these weaknesses can allow device monitoring, data exfiltration or disruption without visible signs of compromise.
For most people and organizations, smartphones now function as identity providers, work devices, authentication hubs and personal archives. An unpatched phone is no longer just a technical weakness; it is a potential entry point into mailboxes, cloud environments and internal business systems.
The fact that some of these flaws were exploited before disclosure is another reminder that real-world attackers are already working ahead of public advisories. Patching is not just hygiene; it is an active defensive measure.
How to Check If Your Android Device Is Vulnerable
You can quickly check whether your device contains the December fixes by reviewing the Android security patch level:
- Open the Settings app on your device.
- Go to Security & privacy or, on some devices, About phone.
- Tap on Security patch level or a similarly named entry.
- Check the date that is shown on the screen.
If your patch level shows 2025-12-05 or any later date, your device includes all the fixes from this bulletin. A patch level of 2025-12-01 means that some, but not all, of the issues have been addressed. Anything older than December 2025 means that known high-severity and actively exploited vulnerabilities remain unpatched on your device.
If your device does not offer an update to at least the December 2025 patch levels, the manufacturer may have ended security support. In that situation, using the device for sensitive activities such as email, banking or business apps carries additional risk, and it is worth planning a migration path to a supported device.
Where BaseFortify Fits In
Keeping track of individual CVEs and security bulletins is difficult even for experienced security teams, and it becomes almost impossible when you try to map every vulnerability to your own devices and systems. The result is that many organizations know that issues exist but cannot easily see which ones really matter to them.
BaseFortify focuses on bridging that gap. Instead of leaving you to interpret long vulnerability lists on your own, it helps you understand which vulnerabilities are relevant to your environment, which components and vendors are involved and where the real exposure lies. That way you can spend less time manually correlating advisories and more time reducing actual risk.
If you want clearer visibility into how updates like the December 2025 Android bulletin affect your situation, you can start by registering an account:
https://basefortify.eu/register
Resources
For further technical detail and official references, you can consult: