Google has released patches for a 107 vulnerabilities today, but cybercriminals were already exploiting two critical flaws before the fixes arrived.
The December security bulletin revealed that attackers had been conducting “limited, targeted exploitation” of framework vulnerabilities affecting billions of Android devices.
This wasn’t just another routine security update—it represents one of the most comprehensive Android patches ever released.
In Google’s bulletin, these actively exploited vulnerabilities could enable unauthorized data access and elevated device privileges without requiring any user interaction.
Revelations
The most disturbing revelations center on CVE-2025-48633 and CVE-2025-48572—two high-severity framework vulnerabilities that cybercriminals discovered and weaponized before patches became available. The first allows unauthorized disclosure of sensitive device information, while the second enables attackers to gain elevated system privileges on compromised devices.
Both vulnerabilities target the Android framework across versions 13, 14, 15, and 16, creating a massive attack surface spanning virtually all modern Android installations. What makes these flaws particularly dangerous is their potential for exploitation chains—attackers could theoretically combine information disclosure with privilege escalation to achieve complete device compromise.
Despite active exploitation, neither vulnerability has appeared on the US Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities catalog, suggesting the attacks may be more sophisticated and targeted than typical widespread campaigns.
December update
The December update addresses far more than just the actively exploited flaws. Google’s comprehensive security bulletin covers 51 immediate patches released Dec. 1, with an additional 56 vulnerabilities scheduled for fixes on Dec. 5, targeting third-party components from major hardware vendors including Arm, MediaTek, Qualcomm, and Unison.
Among the most severe additional threats is CVE-2025-48631, a critical framework vulnerability enabling remote denial-of-service attacks without requiring any special permissions or user interaction. This flaw could potentially allow attackers to crash Android devices remotely, creating opportunities for further exploitation or simply disrupting critical communications.
The kernel component also received significant attention, with four critical vulnerabilities addressed in this update cycle. Additionally, Qualcomm’s closed-source components required patches for multiple security issues, highlighting how deeply these vulnerabilities penetrate the Android ecosystem.
Android devices
The December update exposes the ongoing cat-and-mouse game between Android’s security team and increasingly sophisticated threat actors.
Users should immediately check their device’s security patch level and update to the latest available version. The company has not disclosed specific details about the attack campaigns exploiting these vulnerabilities, leaving questions about whether they were used in targeted espionage operations or broader cybercriminal activities.
This development continues a troubling pattern—just three months ago, Google patched two other actively exploited Android vulnerabilities that enabled local privilege escalation. The recurring discovery of zero-day exploits in Android’s core components suggests that threat actors are investing heavily in mobile platform research, making regular security updates more critical than ever for protecting personal and enterprise data.
Your work phone just got an upgrade — and a new set of eyes. Google’s latest Pixel update brings message archiving to the workplace, letting companies capture and store employee chats for compliance.
