Overview
- Google’s December Android bulletin addresses 107 vulnerabilities across Framework, System, Kernel and vendor components, with two Framework bugs—CVE-2025-48633 and CVE-2025-48572—noted as possibly under limited, targeted exploitation.
- The most severe issue is CVE-2025-48631, a critical Framework flaw that could enable remote denial of service without additional execution privileges.
- Updates are split across patch levels 2025-12-01 and 2025-12-05, with source code slated for release to AOSP by midweek to support partner deployments.
- CISA added CVE-2025-48633 and CVE-2025-48572 to its Known Exploited Vulnerabilities catalog and required U.S. federal agencies to remediate by December 23.
- OEM rollouts have begun on staggered schedules, with Samsung and Motorola shipping fixes that include CVE-2025-48633, and patches applying to Android versions 13 through 16.