Google’s latest Android security update fixes 107 flaws across multiple components, including two vulnerabilities actively exploited in the wild.
Google’s new Android update patches 107 vulnerabilities, including two already exploited in the wild, across system, kernel, and major vendor components.
Here’s a concise summary under 160 characters:
December’s Android update offers two patch levels (12-01, 12-05) for faster fixes across devices.
The two high-severity vulnerabilities that are “under limited, targeted exploitation” are:
- CVE-2025-48572 – An elevation of privilege vulnerability in Framework
- CVE-2025-48633 – An information disclosure vulnerability in Framework
As usual, Google did not provide technical details about the attacks exploiting the above vulnerabilities.
The tech giant also addressed the following critical vulnerabilities in the kernel component:
| CVE | References | Type | Severity | Subcomponent |
|---|---|---|---|---|
| CVE-2025-48623 | A-436580278 Upstream kernel [2] |
EoP | Critical | pKVM |
| CVE-2025-48624 | A-443053939 Upstream kernel |
EoP | Critical | IOMMU |
| CVE-2025-48637 | A-443763663 Upstream kernel [2] |
EoP | Critical | pKVM |
| CVE-2025-48638 | A-442540376 Upstream kernel [2] |
EoP | Critical | pKVM |
and Qualcomm closed-source components:
| CVE | References | Severity | Subcomponent |
|---|---|---|---|
| CVE-2025-47319 | A-421905250* | Critical | Closed-source component |
| CVE-2025-47372 | A-442619421* | Critical | Closed-source component |
“The most severe of these issues is a critical security vulnerability in the Framework component that could lead to remote denial of service with no additional execution privileges needed.” reads the advisory published by Google. “The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Google)
