December 2025 brings one of the most important Android security updates of the year, with over a hundred vulnerabilities fixed across the OS, kernel, and major chipset vendors. This blog post walks through the key issues, why they matter for both everyday users and high‑risk targets, and what enterprises should prioritize in their patching playbooks.
Overview: A heavy‑hitting monthly release
Google’s December 2025 Android Security Bulletin addresses 107 distinct flaws spanning the Android Framework, System, kernel, and components supplied by vendors such as Qualcomm, MediaTek, Unisoc, ARM, and Imagination. Devices updated to the 2025‑12‑05 patch level are considered fully remediated for all issues disclosed in this bulletin and the earlier 2025‑12‑01 level.
Two zero‑day vulnerabilities are the headline items this month, both already observed in targeted attacks and now patched on supported Android 13–16 builds. Combined with critical kernel and virtualization bugs and a long tail of elevation‑of‑privilege and information‑disclosure issues, this release is a genuine “drop everything and patch” moment for security‑conscious organizations.
Actively exploited zero‑days in Android Framework
The most urgent fixes are two high‑severity Framework bugs, CVE‑2025‑48633 and CVE‑2025‑48572, which Google explicitly flags as being under limited, targeted exploitation Because they sit in the Android Framework, they can be reached from ordinary apps and potentially chained with other flaws to build powerful local exploits.
- CVE‑2025‑48633 is an information disclosure vulnerability that lets a malicious app access sensitive data beyond its normal sandbox expectations, providing insight into system state, memory, or security primitives that can be reused in more advanced attacks.
- CVE‑2025‑48572 is an elevation‑of‑privilege bug allowing a local attacker to escalate from a constrained app context to a more privileged one, turning simple code execution into a deeper compromise of the device.
For high‑value targets—executives, journalists, political figures, and admins of sensitive cloud or enterprise environments—these two CVEs represent precisely the type of building blocks commercial spyware and APT tooling look for. Any fleet handling sensitive data should treat December’s update as an emergency rollout, not a routine maintenance event.
Framework hardening: EoP, info‑leak, and DoS
Beyond the zero‑days, the Framework section includes a long list of high‑severity issues that collectively tighten Android’s core API layer. Multiple elevation‑of‑privilege CVEs (including CVE‑2025‑48525, CVE‑2025‑48564, CVE‑2025‑48565, CVE‑2025‑48580, CVE‑2025‑48589, CVE‑2025‑48596, CVE‑2025‑48601, CVE‑2025‑48618, CVE‑2025‑48620, and CVE‑2025‑48629) allow local actors to gain capabilities they should not have, such as broader access to protected APIs or system functions.
The bulletin also lists several information‑disclosure and denial‑of‑service issues (for example CVE‑2025‑48591, CVE‑2025‑48592, CVE‑2025‑48628, CVE‑2025‑48576, CVE‑2025‑48590, CVE‑2025‑48603, and CVE‑2025‑48614), which can leak data used to bypass mitigations or disrupt key services. Attackers typically chain these “supporting” flaws with browser or app bugs to move from a user process into more sensitive parts of the OS, making comprehensive patch coverage critical.
Critical Framework DoS: CVE‑2025‑48631
CVE‑2025‑48631 stands out as the only Framework issue rated critical in this bulletin, described as a remotely triggerable denial‑of‑service bug across Android 13 through 16. In practical terms, this means an attacker may be able to crash or hang critical system components without needing elevated permissions, reducing availability or forcing repeated reboots.
While a DoS flaw lacks the impact of remote code execution, it can still be used to disrupt operations for organizations that depend on mobile devices in the field, or to interfere with security agents and monitoring tools that rely on OS stability. For regulated industries or mission‑critical deployments, this CVE deserves visibility in risk reports alongside the more obviously dangerous EoP and zero‑day issues.
System component vulnerabilities: Local escalation and data leakage
The Android System component also receives significant attention in December, with multiple high‑severity elevation‑of‑privilege and information‑disclosure bugs patched. EoP issues such as CVE‑2023‑40130, CVE‑2025‑22432, CVE‑2025‑48536, CVE‑2025‑48566, CVE‑2025‑48575, CVE‑2025‑48586, and CVE‑2025‑48626 can allow attackers with local code execution to gain broader control over the device than intended.
High‑severity data‑leak flaws including CVE‑2025‑48555, CVE‑2025‑48600, CVE‑2025‑48604, and CVE‑2025‑48622 may expose system or user data that helps attackers tailor exploits, bypass security checks, or fingerprint devices more effectively. For defenders, this set of System bugs is particularly relevant in scenarios where malicious apps are distributed via phishing, third‑party stores, or compromised SDKs.
Kernel and virtualization: pKVM and IOMMU criticals
At the 2025‑12‑05 patch level, Google closes several serious kernel‑level vulnerabilities, including four critical issues in protected KVM (pKVM) and IOMMU subsystems.These include CVE‑2025‑48623 and CVE‑2025‑48637 in pKVM and CVE‑2025‑48624 and CVE‑2025‑48638 in IOMMU, all rated critical elevation‑of‑privilege vulnerabilities.
Because pKVM and IOMMU are core to isolation between virtual machines and between devices and memory, successful exploitation can materially weaken Android’s sandboxing and virtualization guarantees. The bulletin also references high‑severity kernel flaws such as CVE‑2024‑35970, CVE‑2025‑38236, and CVE‑2025‑38349, which expand the attack surface for local kernel‑level privilege escalation. From an enterprise risk perspective, these kernel bugs justify aggressive patch timelines, especially on devices used for admin access or development.
Vendor and SoC‑level fixes: GPUs, modems, and boot chains
As usual, a large portion of the bulletin covers vulnerabilities in third‑party components that are delivered through OEM firmware updates, not just Google’s base images.
- ARM Mali GPU: High‑severity GPU driver bugs such as CVE‑2025‑6349 and CVE‑2025‑8045 can potentially undermine graphics isolation and be combined with other issues to gain access to system memory.
- Imagination PowerVR: GPU vulnerabilities like CVE‑2025‑6573, CVE‑2025‑25177, CVE‑2025‑46711, and CVE‑2025‑58410 may enable data leakage or execution paths via malicious workloads targeting the graphics stack.
- MediaTek: A cluster of high‑severity modem and preloader vulnerabilities (for example CVE‑2025‑20725 through CVE‑2025‑20759 and related IDs) affects the cellular baseband and early boot components, raising the stakes for radio‑borne or pre‑OS attacks.
- Unisoc: Numerous high‑severity modem bugs (including CVE‑2025‑31717, CVE‑2025‑31718, CVE‑2025‑3012, CVE‑2025‑11131–CVE‑2025‑11133, and CVE‑2025‑61607–CVE‑2025‑61619) highlight persistent risk in baseband implementations, which can sometimes be reached via crafted radio traffic.
- Qualcomm and closed‑source components: High‑severity vulnerabilities like CVE‑2025‑47351, CVE‑2025‑47354, and CVE‑2025‑47382, plus critical closed‑source issues including CVE‑2025‑47319 and CVE‑2025‑47372, are documented further in Qualcomm’s December 2025 security bulletin.
Because OEMs integrate these changes on different schedules, an Android device reporting the latest Google patch level might still lag behind on vendor‑specific fixes, making it important for enterprises to track SoC advisories as part of their mobile risk management.
What security teams should do now
For vulnerability managers and blue teams, December 2025 can be boiled down into a focused action plan.
- Prioritize deployment of the 2025‑12‑05 patch level (or vendor‑equivalent) across all supported Android 13–16 devices, treating this as an urgent, not routine, rollout.
- Explicitly track remediation of CVE‑2025‑48633 and CVE‑2025‑48572, given confirmed in‑the‑wild exploitation and their central role in potential spyware or APT chains.
- Include critical kernel issues (CVE‑2025‑48623, CVE‑2025‑48624, CVE‑2025‑48637, CVE‑2025‑48638) and the Framework critical DoS CVE‑2025‑48631 in executive reporting due to their impact on isolation and availability.
- For BYOD or partially managed fleets, update awareness materials to emphasize the concrete risks of delaying this month’s update, including active exploitation and potential privacy impact.
For readers who simply want to know, “Should I update now?” the answer is unequivocally yes: December 2025’s Android patches close real‑world attack paths at multiple layers of the stack, from high‑level Framework APIs down to virtualization, GPU, and modem firmware.
