--- title: "Two Android 0-day bugs disclosed and fixed, plus 105 more to patch" type: "News" locale: "en" url: "https://longbridge.com/en/news/268304497.md" description: "Google disclosed and patched two high-severity Android zero-day vulnerabilities, CVE-2025-48633 and CVE-2025-48572, in its December security bulletin. These bugs were exploited before the fix, and Google warns of limited, targeted exploitation. Additionally, 105 other security issues have been patched. Users are advised to update their Android software promptly. The vulnerabilities are often exploited by spyware and government attackers. Seven bugs received critical-severity ratings, including CVE-2025-48631, which could lead to remote denial of service." datetime: "2025-12-02T18:50:44.000Z" locales: - [zh-CN](https://longbridge.com/zh-CN/news/268304497.md) - [en](https://longbridge.com/en/news/268304497.md) - [zh-HK](https://longbridge.com/zh-HK/news/268304497.md) --- # Two Android 0-day bugs disclosed and fixed, plus 105 more to patch Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin. The two vulnerabilities are CVE-2025-48633, an information-disclosure flaw in Android's framework component, and CVE-2025-48572, an elevation-of-privilege bug also in the framework component. Both are ranked high severity, and according to Google, both "may be under limited, targeted exploitation." Both of these – plus an additional 105 security holes – all have patches, so it's a good idea to update your Android software ASAP. Google didn't provide any details about who is exploiting the vulnerabilities, nor to what end, but we know that commercial spyware and government-sponsored attackers like to exploit these types of mobile device zero-days for snooping purposes. This latest zero-day follows an emergency patch that Google issued last month for a high-severity Chrome bug that attackers have already found and exploited in the wild. That vulnerability, tracked as CVE-2025-13223, is a type confusion flaw in the V8 JavaScript engine, and it marked the seventh Chrome zero-day this year. All have since been patched. - Google Chrome bug exploited as an 0-day - patch now or risk full system compromise - Fortinet 'fesses up to second 0-day within a week - Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware - Miscreants are exploiting enterprise tech zero days more and more, Google warns Seven bugs achieved a critical-severity rating in the Android December patch marathon. Google says the most serious of these is CVE-2025-48631, also in the framework component, which "could lead to remote denial of service with no additional execution privileges needed." There are also four critical escalation-of-privilege bugs in the kernel (CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638), plus two critical vulnerabilities (CVE-2025-47319, CVE-2025-47372) affecting Qualcomm closed-source components. According to Qualcomm's security advisory, CVE-2025-47319 can allow "information disclosure while exposing internal TA-to-TA communication APIs to HLOS." CVE-2025-47372, a critical buffer overflow flaw, occurs when a corrupted ELF image with an oversized file is read into a buffer without authentication. Get patching on all of these 107 Android device security issues now - because Microsoft and friends will probably push even more updates during this month's Patch Tuesday event on December 9. ® ### Related Stocks - [GGLS.US](https://longbridge.com/en/quote/GGLS.US.md) - [GGLL.US](https://longbridge.com/en/quote/GGLL.US.md) - [GOOGL.US](https://longbridge.com/en/quote/GOOGL.US.md) - [GOOG.US](https://longbridge.com/en/quote/GOOG.US.md) ## Related News & Research - [Google DeepMind economist sees no AI jobs bloodbath yet, but warns of a layoff cascade](https://longbridge.com/en/news/289293254.md) - [Cramer warns of $500B AI funding crunch despite record Alphabet raise](https://longbridge.com/en/news/288954570.md) - [Why Cathie Wood and Berkshire Hathaway Both Love Google Stock Here](https://longbridge.com/en/news/288896332.md) - [Wing drone delivery might not be a novelty anymore](https://longbridge.com/en/news/289369903.md) - [Waymo says it built a better benchmark for comparing robotaxis to humans](https://longbridge.com/en/news/289299392.md)