Skip to main content
Mallory

Android December 2025 Security Update Addresses Critical DoS and Two Exploited Zero-Days

actively-exploited-vulnerabilityendpoint-software-vulnerabilitywidely-deployed-product-advisory
Updated March 21, 2026 at 03:15 PM16 sources
Share:
Android December 2025 Security Update Addresses Critical DoS and Two Exploited Zero-Days

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

Google released the December 2025 Android Security Bulletin, patching 107 vulnerabilities, including a critical remote Denial of Service (DoS) flaw (CVE-2025-48631) in the Android Framework and two zero-day vulnerabilities (CVE-2025-48633 and CVE-2025-48572) that are reportedly under active exploitation. The zero-days allow for information disclosure and elevation of privilege, affecting Android versions 13 through 16, and are believed to be targeted in limited attacks. The DoS vulnerability enables remote attackers to crash or disable devices without requiring user interaction or additional execution privileges.

The update is distributed in two patch levels (2025-12-01 and 2025-12-05), covering both core Android components and vendor-specific issues. Google’s disclosure highlights the ongoing threat posed by actively exploited vulnerabilities in the Android ecosystem and underscores the importance of timely patching by device manufacturers and users. The December update represents one of the largest patch releases of the year, following a period of irregular vulnerability reporting from Google.

Timeline

  1. Dec 3, 2025

    CISA adds the two Android Framework zero-days to the KEV catalog

    After not appearing in CISA's Known Exploited Vulnerabilities catalog when Google published the bulletin, the two exploited Android Framework flaws were later added to KEV. Multiple follow-on reports on December 3 noted the KEV listing for CVE-2025-48633 and CVE-2025-48572.

  2. Dec 3, 2025

    Google says AOSP source patches will follow bulletin release

    Google stated that source code for the vulnerabilities fixed in the December bulletin would be released to the Android Open Source Project repository within about 48 hours, by Wednesday after the bulletin's publication. This would make the fixes available to the broader Android ecosystem after the initial bulletin release.

  3. Dec 1, 2025

    Google publishes December 2025 Android security bulletin

    Google released the December 2025 Android Security Bulletin with patch levels 2025-12-01 and 2025-12-05, addressing 107 vulnerabilities across Framework, System, Kernel, and multiple vendor components. The bulletin identified CVE-2025-48631 as the most severe issue and said two Framework flaws, CVE-2025-48633 and CVE-2025-48572, were under limited, targeted exploitation.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Related Entities

Vulnerabilities

Android Framework information disclosure in DevicePolicyManagerService hasAccountsOnAnyUser (CVE-2025-48633)Android Framework background activity launch privilege escalation (CVE-2025-48572)Remote persistent denial of service in Android System LocalImageResolver (CVE-2025-48631)Qualcomm boot process ELF image buffer overflow memory corruption (CVE-2025-47372)Information disclosure in Qualcomm closed-source TA-to-TA communication APIs exposed to HLOS (CVE-2025-47319)Out-of-bounds write in Android Kernel pKVM __pkvm_load_tracing (CVE-2025-48638)Out-of-bounds write in Android Kernel arm-smmu-v3 IOMMU (CVE-2025-48624)Local privilege escalation in Android Kernel pKVM mem_protect.c (CVE-2025-48637)Local Privilege Escalation in Android Kernel pKVM init_pkvm_hyp_vcpu (CVE-2025-48623)Imagination PowerVR GPU improper memory protection handling allows write access to read-only exported buffers (CVE-2025-58410)NULL Pointer Dereference in Imagination PowerVR GPU driver (CVE-2025-46711)Use-after-free in Linux kernel eventpoll epoll refcount handling (CVE-2025-38349)Qualcomm memory corruption while processing user buffers (CVE-2025-47351)Use-After-Free in Arm Valhall / 5th Gen GPU Kernel Driver (CVE-2025-6349)Android System forwarded intent user profile boundary bypass EoP (CVE-2025-48566)Confused deputy privilege escalation in Android SettingsSliceProvider (CVE-2025-48536)Use-after-free in Linux kernel AF_UNIX MSG_OOB handling (CVE-2025-38236)Linux kernel af_unix stale oob_skb handling in OOB data path (CVE-2024-35970)Information disclosure in Imagination PowerVR trusted execution environment isolation (CVE-2025-6573)Memory corruption in Qualcomm DSP service buffer allocation (CVE-2025-47354)Use-after-free in Imagination PowerVR GPU kernel driver (CVE-2025-25177)Use-After-Free in Arm Valhall and 5th Gen GPU Architecture Kernel Driver (CVE-2025-8045)Memory corruption in Qualcomm boot loader firmware loading (CVE-2025-47382)Android Runtime use-after-free privilege escalation in Chrome sandbox escape chain (CVE-2025-48543)Linux kernel POSIX CPU timers race condition use-after-free in handle_posix_cpu_timers() (CVE-2025-38352)Remote DoS in Unisoc modem input validation (CVE-2025-31717)Android CallRedirectionProcessor permission bypass leading to local privilege escalation (CVE-2023-40130)Remote DoS in Unisoc NR Modem Input Validation (CVE-2025-11133)

Organizations

GoogleCISAQualcommMediaTekImagination TechnologiesArmUnisocCyberScoopSamsung ElectronicsSamsungAndroid Open Source ProjectUnisonMalwarebytesMotorolaNokiaLGEHuawei TechnologiesOppo

Affected Products

AndroidAndroidAndroidAndroid

Sources

zdnet zero day
Your Android phone may be in critical danger - update it ASAP
December 4, 2025 at 07:00 AM
scworld
Android Framework bugs added to CISA KEV list
December 3, 2025 at 12:00 AM
cyberthrone
Android Framework Zero-Days Hit CISA KEV
December 3, 2025 at 12:00 AM
malwarebytes labs
Google patches 107 Android flaws, including two being actively exploited
December 2, 2025 at 12:00 AM
socradar blog
December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited
December 2, 2025 at 12:00 AM

5 more from sources like help net security, the hacker news, cyberthrone, scworld and thecyberexpress com vulnerabilities

Related Stories

Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day

Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day

Google released the March 2026 *Android Security Bulletin*, issuing fixes for **129 vulnerabilities** across the Android ecosystem and shipping two patch levels (`2026-03-01` and `2026-03-05`) to help OEMs stage platform and hardware-specific updates. The most urgent issue is **CVE-2026-21385**, a **high-severity, actively exploited** zero-day in an open-source **Qualcomm display** component used in Android devices with affected Qualcomm/Snapdragon chipsets. Reporting indicates CVE-2026-21385 is a **memory-corruption** flaw caused by an **integer overflow/wraparound** condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged **limited, targeted exploitation in the wild**, and one account attributes discovery/confirmation of exploitation to Google’s **Threat Analysis Group (TAG)**; devices not updated to at least patch level `2026-03-05` remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.

1 months ago
Android March Security Update Patches Actively Exploited Qualcomm Display Zero-Day

Android March Security Update Patches Actively Exploited Qualcomm Display Zero-Day

Google’s March Android security update addressed **129 vulnerabilities**, including one **actively exploited** high-severity memory-corruption flaw in an open-source **Qualcomm display component** tracked as **CVE-2026-21385**. Google warned the issue “may be under limited, targeted exploitation,” and reporting indicated Qualcomm marked the vulnerability as exploited; Qualcomm stated it provided fixes to customers in **January 2026** and urged end users to apply OEM-delivered device updates as they become available. Separately, the Canadian Centre for Cyber Security issued multiple vendor rollups and advisories on March 2, 2026, including an **Android monthly rollup (AV26-187)** pointing organizations to the Android Security Bulletin for patching guidance. Additional Canadian advisories covered unrelated vulnerability sets in **Veeam Kasten for Kubernetes (AV26-188)**, **VMware Tanzu products (AV26-186)**, **Red Hat (including Linux kernel updates) (AV26-184)**, **CISA ICS advisories for multiple OT/IoT products (AV26-183)**, **Dell infrastructure products (AV26-181)**, and **IBM enterprise software (AV26-180)**; these are general patch-notification items and do not provide details tied to the Android/Qualcomm zero-day beyond directing readers to apply vendor updates.

1 months ago
Critical Zero-Click RCE Vulnerability (CVE-2025-48593) in Android System Component

Critical Zero-Click RCE Vulnerability (CVE-2025-48593) in Android System Component

Google released a security update in November 2025 to address a critical remote code execution vulnerability, CVE-2025-48593, in the Android System component. This flaw allows attackers to execute code remotely on affected devices running Android versions 13 through 16 without requiring user interaction or additional execution privileges. The vulnerability stems from insufficient validation of user input, making it possible for exploitation via a zero-click attack vector. The update also addressed a separate privilege escalation issue, CVE-2025-48581, affecting Android 16, but the primary concern is the zero-click RCE, which requires immediate patching due to its severity. Google has stated that there is no evidence of active exploitation in the wild at the time of the update. Security experts urge all users and organizations to apply the November 2025 security patch promptly to mitigate the risk posed by this critical vulnerability.

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.

Android December 2025 Security Update Addresses Critical DoS and Two Exploited Zero-Days | Mallory