Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices.
The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, which attackers can exploit to access information and escalate privileges, respectively. Google said both vulnerabilities, which had not been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog as of Monday afternoon, may be under limited, targeted exploitation.
Google’s public vulnerability disclosure and reporting program for Android has been uneven this year. While the company typically issues dozens of security patches each month, Google reported no vulnerabilities in July and October, just six in August and two vulnerabilities in November.
Google did not respond to questions about the occasional lulls in vulnerability disclosure and hasn’t described any changes to its process that might explain the lower numbers in some months this year.
The company’s latest security update contains the second-highest number of vulnerabilities patched so far this year, followed by the 120 defects it addressed in September.
Google said the most severe vulnerability this month — CVE-2025-48631 — is a critical defect affecting the framework, which attackers can exploit to achieve remote denial of service with no additional execution privileges required.
The Android security bulletin for December includes two patch levels — 2025-12-01 and 2025-12-05 — allowing Android partners to address common vulnerabilities on different devices. Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.
The primary security update contains 37 vulnerabilities affecting the framework, including CVE-2025-48631, and 14 defects affecting the system.
The second patch addresses nine vulnerabilities affecting the kernel, including four that are designated critical. The update also contains fixes for two Arm components defects, four Imagination Technologies bugs, 17 vulnerabilities affecting MediaTek components, 13 Unisoc components flaws, and 11 Qualcomm components, including two rated critical.
Google said source code for all vulnerabilities addressed in this month’s Android security bulletin will be released to the Android Open Source Project repository by Wednesday.