Google announces that Android had a total of 107 vulnerabilities through which hackers could infiltrate, but it has already been fixed

Google has disclosed two actively exploited zero-day vulnerabilities in its most recent monthly security update for Android devices. The vulnerabilities, identified as CVE-2025-48633 and CVE-2025-48572, are high-severity flaws that affect the Android framework, allowing attackers to access information and escalate privileges. Despite their severity, they have not yet been included in the catalog of known exploited vulnerabilities by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Problems with Android

The December security notice is significant, as it includes a total of 107 resolved defects, making this the second highest number of patched vulnerabilities this year, only surpassed by the 120 fixed in September. This year has been irregular in terms of vulnerability disclosure, with months where no defects were reported, such as July and October, and a total of only six vulnerabilities in August.

The latest Google update features two patch levels —2025-12-01 and 2025-12-05— that will allow Android partners to address common vulnerabilities across different devices. Android device manufacturers typically release security updates according to their own schedule, customizing operating system updates for their specific hardware.

It has also been indicated that the most critical vulnerability addressed in this patch is CVE-2025-48631, which could allow an attacker to carry out a remote denial of service attack without the need for additional privileges. The update includes fixes for various areas, from the framework and system to critical components from manufacturers such as Qualcomm and MediaTek.

Finally, it has been confirmed that the source code for all the vulnerabilities addressed in this update will be released in the Android Open Source Project repository on Wednesday.