Two Android 0-day bugs disclosed and fixed, plus 105 more to patch

Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin. 

The two vulnerabilities are CVE-2025-48633, an information-disclosure flaw in Android's framework component, and CVE-2025-48572, an elevation-of-privilege bug also in the framework component. Both are ranked high severity, and according to Google, both "may be under limited, targeted exploitation."

Both of these – plus an additional 105 security holes – all have patches, so it's a good idea to update your Android software ASAP.

Google didn't provide any details about who is exploiting the vulnerabilities, nor to what end, but we know that commercial spyware and government-sponsored attackers like to exploit these types of mobile device zero-days for snooping purposes.

This latest zero-day follows an emergency patch that Google issued last month for a high-severity Chrome bug that attackers have already found and exploited in the wild.

That vulnerability, tracked ...