Two Android 0-day bugs disclosed and fixed, plus 105 more to patch

Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin. The two vulnerabilities are CVE-2025-48633, an information-disclosure flaw in Android's framework component, and CVE-2025-48572, an elevation-of-privilege bug also in the framework component. Both are ranked high severity, and according to Google, both "may be under limited, targeted exploitation." Both of these – plus an additional 105 security holes – all have patches, so it's a good idea to update your Android software ASAP. Google didn't provide any details about who is exploiting the vulnerabilities, nor to what end, but we know that commercial spyware and government-sponsored attackers like to exploit these types of mobile device zero-days for snooping purposes. This latest zero-day follows an emergency patch that Google issued last month for a high-severity Chrome bug that attackers have already found and exploited in the wild. That vulnerability, tracked as CVE-2025-13223, is a type confusion flaw in the V8 JavaScript engine, and it marked the seventh Chrome zero-day this year. All have since been patched. Google Chrome bug exploited as an 0-day - patch now or risk full system compromise Fortinet 'fesses up to second 0-day within a week Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware Miscreants are exploiting enterprise tech zero days more and more, Google warns Seven bugs achieved a critical-severity rating in the Android December patch marathon. Google says the most serious of these is CVE-2025-48631, also in the framework component, which "could lead to remote denial of service with no additional execution privileges needed." There are also four critical escalation-of-privilege bugs in the kernel (CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638), plus two critical vulnerabilities (CVE-2025-47319, CVE-2025-47372) affecting Qualcomm closed-source components. According to Qualcomm's security advisory, CVE-2025-47319 can allow "information disclosure while exposing internal TA-to-TA communication APIs to HLOS." CVE-2025-47372, a critical buffer overflow flaw, occurs when a corrupted ELF image with an oversized file is read into a buffer without authentication. Get patching on all of these 107 Android device security issues now - because Microsoft and friends will probably push even more updates during this month's Patch Tuesday event on December 9. ®