December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited

Google has published the December 2025 Android Security Bulletin, addressing 100+ vulnerabilities across core platform and vendor components. The update introduces two patch levels (2025-12-01 and 2025-12-05). Importantly, Google reports indications of limited, targeted exploitation for two Framework zero-days, CVE-2025-48633 and CVE-2025-48572, placing them among the most urgent flaws to fix in this release.

In this blog, we break down the exploited Android vulnerabilities, highlight other key fixes, and explain what organizations and users should do next.

Actively Exploited Zero-Day Vulnerabilities in Android Framework (CVE-2025-48633 & CVE-2025-48572)

In December 2025 Android Security Bulletin, Google notes that two Framework vulnerabilities may already be under limited, targeted exploitation in the wild:

• CVE-2025-48633 – Information disclosure in Framework
• CVE-2025-48572 – Elevation of privilege in Framework

These issues affect Android 13 through 16 and stand out from the rest of the bulletin because of the exploitation signal.

CVE-2025-48633: Android Framework Information Disclosure

CVE-2025-48633 is an information disclosure vulnerability in the Android Framework, rated High and affecting Android 13, 14, 15, and 16.

While public technical details are limited at this stage, an attacker who can trigger this flaw (for example, through a malicious app or other local vector) could potentially access data that should remain confined to another component or privilege boundary. Combined with other bugs, such information leaks often help attackers bypass security checks or refine exploit chains.

Google has stated that there are indications this vulnerability may have been exploited in limited, targeted attacks, which makes timely patching essential.

CVE-2025-48572: Android Framework Elevation of Privilege

CVE-2025-48572 is a High-severity elevation-of-privilege vulnerability in the Framework that also impacts Android 13-16.

If successfully exploited, a local attacker could gain higher-than-intended privileges on the device. In practice, this type of bug can allow a malicious application to escape parts of the standard Android security model, potentially moving from a constrained app context toward more powerful system capabilities.

Like CVE-2025-48633, Google notes signs of limited, targeted exploitation for this issue, which elevates its priority despite the lack of public exploit details.

SOCRadar’s Vulnerability Intelligence

Monthly bulletins like December’s provide essential information, but security teams still face a familiar problem: turning a long list of CVEs, kernels, and vendor components into concrete, prioritized action.

SOCRadar’s Cyber Threat Intelligence can help close this gap by:

• Correlating vulnerabilities with real-world exploitation, including signals from CISA KEV, exploit kits, and Dark Web chatter.
• Enriching Android-related CVEs with exploit availability, affected products, and severity in the context of your own environment.
• Linking vulnerabilities to exposed assets via Attack Surface Management (ASM), so teams can see which internet-facing systems and mobile endpoints are most at risk.

Other Severe Vulnerabilities Patched

Beyond the exploited Framework issues, the December 2025 Android Security Bulletin includes several critical vulnerabilities that deserve attention from security teams.

A summary of other severe vulnerabilities involved in the December 2025 cycle

CVE-2025-48631 – Critical Framework DoS

The bulletin’s headline issue is a critical remote Denial-of-Service (DoS) vulnerability in the Framework, CVE-2025-48631, affecting Android versions 13-16.

According to Google, this flaw could allow a remote attacker to trigger a denial of service without any additional execution privileges. In a real-world scenario, successful exploitation could cause device instability or service disruption until the user reboots or the affected component recovers.

Critical Kernel Escalation of Privilege

The 2025-12-05 patch level includes multiple critical kernel issues that allow local elevation of privilege, mainly in pKVM and IOMMU subcomponents:

• CVE-2025-48623 – pKVM

• CVE-2025-48624 – IOMMU

• CVE-2025-48637 – pKVM

• CVE-2025-48638 – pKVM

These vulnerabilities are addressed via upstream kernel patches and can, in the worst case, allow a local attacker (for example, through another compromised component) to gain elevated privileges in the virtualization or memory-management layers. When combined with an initial code-execution bug, such kernel-level issues can lead to full device compromise.

High-Severity Kernel and System Bugs

In addition to the critical items, the bulletin lists a range of High-severity kernel and System vulnerabilities, including:

• Kernel networking and EPoll issues such as CVE-2024-35970, CVE-2025-38236, and CVE-2025-38349, which are elevation-of-privilege bugs in Net and EPoll subsystems.
• Multiple System component vulnerabilities (for example CVE-2025-48536, CVE-2025-48566, and CVE-2025-48612) that can result in local elevation of privilege or information disclosure on Android 13-16.

Even without known exploitation, these issues present attractive targets for attackers who already have some level of code execution on a device.

Vendor Component Fixes: GPU, Modem, and Bootloader

The December bulletin also coordinates fixes from several chipset and hardware vendors, many of which affect devices across different manufacturers.

A summary of vendor component vulnerabilities involved in the December 2025 cycle

Arm and Imagination GPU Vulnerabilities

• Arm Mali GPU: Two High-severity vulnerabilities (CVE-2025-6349, CVE-2025-8045) affect Mali GPU components.
• Imagination PowerVR GPU: Multiple High-severity issues (including CVE-2025-6573, CVE-2025-25177, CVE-2025-46711, CVE-2025-58410) impact PowerVR GPUs.

Details are provided in the vendors’ own advisories, but these typically involve conditions that can lead to memory corruption, information disclosure, or local privilege escalation in GPU drivers.

MediaTek and Unisoc Modem Issues

Many of the High-severity bugs in this bulletin affect MediaTek and Unisoc modem stacks and related components (IMS services, preloader, and modem firmware).

Because these components handle cellular connectivity and low-level radio functions, vulnerabilities here can, in some cases, enable attackers with the right capabilities to interfere with communications, gain elevated privileges within the baseband environment, or destabilize the device. Most organizations will rely on OEM firmware updates to receive these fixes.

Qualcomm Kernel, Bootloader, and Closed-Source Components

Google also lists several Qualcomm-related fixes, including:

• High-severity kernel and bootloader vulnerabilities (e.g., CVE-2025-47351, CVE-2025-47354, CVE-2025-47382)
• Critical and High issues in Qualcomm closed-source components, such as CVE-2025-47319 and CVE-2025-47372

As with other vendor fixes, full technical details are provided in Qualcomm’s own bulletins, but Android device updates will bundle these patches for supported models.

December 2025 Android Security Bulletin – Patch Levels and Coverage

The December 2025 Android Security Bulletin defines two patch levels:

• 2025-12-01 patch level: Covers Framework and System vulnerabilities, including the exploited issues CVE-2025-48633 and CVE-2025-48572, the critical Framework DoS CVE-2025-48631, and associated High-severity flaws.
• 2025-12-05 patch level: Includes all fixes from 2025-12-01 plus additional patches for Kernel, Arm, Imagination, MediaTek, Unisoc, and Qualcomm components.

Android December 2025 patch levels

Devices reporting a security patch level of 2025-12-05 or later are considered protected against all vulnerabilities mentioned in the December bulletin and earlier months. OEMs that ship only the 2025-12-01 patch level must still include all issues assigned to that level and previous bulletins.

Google plans to publish the corresponding AOSP source code patches within roughly 48 hours of the bulletin’s initial release, enabling device manufacturers to integrate the changes into their own builds.

Note that Google Play system updates (Project Mainline) do not include additional security fixes this month.

How to Stay Protected

Even before device-specific updates arrive, Android’s built-in protections reduce the impact of many vulnerabilities. Still, timely patching remains essential, especially given the exploited Framework issues in this release.

For individual users:

• Install the December update as soon as it becomes available for your device, and aim for the 2025-12-05 patch level where possible.
• Keep Google Play Protect enabled, particularly if you install apps from outside Google Play.
• Limit sideloading, and review app permissions regularly to reduce the risk from malicious or over-privileged apps.

For organizations managing Android fleets:

• Track patch levels across managed devices and set policies to require the December 2025 security update for supported models.
• Prioritize high-risk groups and sensitive use cases (for example, devices with broader app installation permissions or access to critical data) for faster rollout.
• Monitor vendor-specific advisories (Samsung, Pixel, other OEMs) for details on model coverage and any additional patches layered on top of the Android bulletin.

For full technical details, see the official December 2025 Android Security Bulletin here.