Android Zero-Days Patched in December 2025 Security Update

Google warns that two out of the 107 vulnerabilities patched in Android this month have been exploited in limited, targeted attacks.

Google on Monday released new security updates for Android users, warning that two of the resolved vulnerabilities have been exploited in attacks.

The exploited zero-days, tracked as CVE-2025-48633 and CVE-2025-48572, impact the platform’s Framework component and could be exploited for information disclosure or elevation of privilege, respectively.

The December 2025 Android Security Bulletin reads:

“There are indications that the following may be under limited, targeted exploitation.

CVE-2025-48633

CVE-2025-48572”

Google has refrained from sharing additional information on the two security defects, except that they impact Android versions 13, 14, 15, and 16.

Given the internet giant’s phrasing, both flaws might have been exploited by a commercial spyware vendor.

The issues were addressed in the first part of Android’s December 2025 security update, which arrives on devices as ...