Google’s latest Android security update fixes two actively exploited flaws

Google’s latest Android security update fixes 107 flaws across multiple components, including two vulnerabilities actively exploited in the wild.

Google’s new Android update patches 107 vulnerabilities, including two already exploited in the wild, across system, kernel, and major vendor components.

Here’s a concise summary under 160 characters:

December’s Android update offers two patch levels (12-01, 12-05) for faster fixes across devices.

The two high-severity vulnerabilities that are “under limited, targeted exploitation” are:

• CVE-2025-48572 – An elevation of privilege vulnerability in Framework
• CVE-2025-48633 – An information disclosure vulnerability in Framework

As usual, Google did not provide technical details about the attacks exploiting the above vulnerabilities.

The tech giant also addressed the following critical vulnerabilities in the kernel component:

and Qualcomm closed-source components:

“The most severe of these issues is a critical security vulnerability in the Framework component that could lead to remote denial of service with no additional execution privileges needed.” reads the advisory published by Google. “The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)