Google has corrected more than a hundred vulnerabilities in Android with the December update, two of them zero-day and high gravity that have been actively exploited against specific targets.
The December security bulletin includes 107 vulnerabilities in Android present in the framework, system, kernel and third-party closed source components which will be fixed with the December 1st or December 5th patch.
In this list, Google has highlighted two zero-day vulnerabilities, CVE-2025-48633 and CVE-2025-48572, which are classified as high severity. Of them, he said that “they may be subject to limited and segmented exploitation”, as stated on the page of the December security bulletin.
Although it has not provided a description of the vulnerabilities, Google indicates that the first is a security problem. information disclosure and the second, of elevation of privileges.
Also collected is a critical vulnerability (CVE-2025-48631) Denial of service in ‘framework’ of Android, and four more of the same severity in the kernel: CVE-2025-48623, CVE-2025-48624, CVE-2025-48637 and CVE-2025-48638, all elevation of privileges