Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin.

The two vulnerabilities are CVE-2025-48633, an information-disclosure flaw in Android's framework component, and CVE-2025-48572, an elevation-of-privilege bug also in the framework component. Both are ranked high severity, and according to Google, both "may be under limited, targeted exploitation ."

Both of these – plus an additional 105 security holes – all have patches, so it's a good idea to update your Android software ASAP.

Google didn't provide any details about who is exploiting the vulnerabilities, nor to what end, but we know that commercial spyware and government-sponsored attackers like to exploit these types of mobile device zero-days fo

See Full Page