Google has suddenly warned that Android is now under attack, confirming two critical vulnerabilities “that could lead to remote denial of service with no additional execution privileges needed.” Just a few hours later, Samsung confirmed its own update.
Now America’s cyber defense agency has told users to update phones by Dec. 23 or stop using them altogether. This order is mandatory for federal staffers, but all other users should comply. Pixels will be updated quickly, Samsungs will take longer.
In addition to Android’s core updates, Samsung has also confirmed three critical vulnerabilities of its own, all discovered by Google’s Project Zero team and fixed in its December monthly update. None of these have made CISA’s attack catalog.
Warning that CVE-2025-48633 and CVE-2025-48572 “may be under limited, targeted exploitation,” Google assured that all Android OEMs will receive fixes by Wednesday. How quickly they are then rolled out will vary by manufacturer and network.
CISA warns users to update before the deadline “or discontinue use of the product if mitigations are unavailable.”
Only one of the two CISA-flagged vulnerabilities is currently on Samsung’s list, we don’t know why the other is missing. As ever, Google will not issue details until fixes have been released and users have had chance to update.
Google’s Project Zero team, which found the new Samsung threats, operates to find zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.” All three of the new Samsung vulnerabilities enable “remote attackers to access out-of-bounds memory.” That means take this seriously.
Samsung is Android’s leading OEM by some distance, and so the risk is high. The new issues affect the same libimagecodec.quram.so library behind Samsung’s emergency update in October and its own a CISA warning.
CISA’s remit is “to help every organization better manage vulnerabilities and keep pace with threat activity,” and the agency says organizations should its vulnerability catalog “as an input to their vulnerability management prioritization framework.”
I would expect Pixel updates to be confirmed this week and Samsung’s most recent flagships to start receiving updates within days. Others will have to wait. For government staff, just make sure you don’t miss the deadline.