Google has suddenly confirmed Android is under attack, rushing out fixes for two vulnerabilities “that could lead to remote denial of service with no additional execution privileges needed.” Manufacturers will receive new source code “within 48 hours.”
Google says there are “indications” that CVE-2025-48633 and CVE-2025-48572 “may be under limited, targeted exploitation.” In addition to the two zero-days, more than 100 other patches are included in December’s bumper update.
Both the high-severity exploited vulnerabilities affect Android’s framework, and could lead to “remote denial of service with no additional execution privileges needed.” It seems almost certain that some form of malicious spyware is behind the exploits. Google will not issue any further detail until updates have been released.
The fact that Google has issued the update on the first day of the month is notable. That it includes so many fixes is attributable to Google’s new process, whereby omnibus quarterly updates group fixes leaving the intervening months relatively clear. That said, the zero days would have been patched immediately anyway.
Neither vulnerability had been added to the U.S. cyber defense agency’s Known Exploited Vulnerability catalog by the end of Monday. You can expect both to be included within 24 to 48 hours, along with CISA’s usual update mandate.
The December update was also absent on Samsung’s security page at the end of the day. Again, you can expect this to be revised quickly given its seriousness. Unfortunately for Samsung users, they won’t get these updates quickly. Unlike Pixel (and iPhone), it takes the course of the whole month to get updates across Samsung’s install base.
Users are urged to check their Android OEM instructions and apply the new update as soon as it’s made available. While this attacks are highly targeted, such exploits have a nasty habit of expanding their outreach and getting chained with other flaws.
If your Android phone is no longer eligible for security updates, you should consider an upgrade. The scale of December’s release is a good reminder of why that’s so critical.