Google has kicked off December with one of its biggest Android security updates of the year, patching 107 vulnerabilities, including two high-severity zero-days currently under active exploitation. The update – split across patch levels 2025-12-01 and 2025-12-05 – arrives as Android manufacturers prepare their final software pushes before the new year.

It’s the second-largest vulnerability patch count of 2025, underscoring how rapidly mobile threats are evolving and how critical OS-level security has become for both users and developers.

Two actively exploited zero-days highlight ongoing Android risks

Google confirmed two zero-days in this month’s bulletin:

• CVE-2025-48633 – a high-severity vulnerability allowing attackers to access sensitive information through the Android framework.
  
• CVE-2025-48572 – a privilege escalation flaw that could let malicious apps gain unauthorized control.
  
  

Both appear to be under “limited, targeted exploitation,” according to Google – language that typically signals attacks against specific users rather than widespread campaigns.

The company also highlighted CVE-2025-48631, a critical framework flaw enabling remote denial of service with no user interaction required.

More than 100 fixes across framework, system, kernel, and chipset vendors

The December update covers vulnerabilities across nearly every layer of the Android ecosystem, including:

• 37 framework vulnerabilities
  
• 14 system fixes
  
• 9 kernel issues, four of which are critical
  
• Arm, MediaTek, Qualcomm, and Unisoc components, accounting for dozens more fixes
  
  

Chipset vendors continue to play a major role in Android security, given how deeply integrated their drivers are with the OS. MediaTek, Qualcomm, and Unisoc each shipped patches addressing critical bugs that could allow code execution, memory corruption, or hardware-level compromise.

Google says source code for the patched vulnerabilities will be published to the Android Open Source Project within days.

OEMs will roll out updates on their own schedules

As usual, Android device makers will release the patches individually after adapting them to their custom OS layers. Pixel devices typically receive updates first, followed by Samsung, OnePlus, and others over the coming weeks.

This fragmented update model is one of Android’s ongoing security challenges, as millions of devices may remain unpatched for months – or indefinitely – depending on manufacturer support cycles.

What this means for app security in 2026

With the rise of advanced mobile malware, AI-assisted attacks, and increasingly complex supply chains, Android security will be shaped by:

• OS-level protection
  
• hardware-level patching
  
• developer-driven safeguards
  
• user awareness and update adoption
  
  

Developers should be prepared for a year where app security isn’t just a backend concern – it’s a core part of the product experience.

The bottom line

Google’s December patch drop is more than a routine update – it’s a reminder of how dynamic and high-stakes mobile security has become. With 107 vulnerabilities addressed and multiple zero-days in the wild, the message is clear: app developers must stay proactive, test across OS versions, and build resilient security into every layer of their products.

Security is no longer a checkbox for 2026 – it’s a competitive advantage.