Two Android 0-day bugs disclosed and fixed, plus 105 more to patch
(2025/12/02)
- Reference: 1764701268
- News link: https://www.theregister.co.uk/2025/12/02/android_0_days/
- Source link:
Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin.
The two vulnerabilities are CVE-2025-48633, an information-disclosure flaw in Android's framework component, and CVE-2025-48572, an elevation-of-privilege bug also in the framework component. Both are ranked high severity, and according to Google, both "may be under [1]limited, targeted exploitation ."
Both of these – plus an additional 105 security holes – all have patches, so it's a good idea to update your Android software ASAP.
[2]
Google didn't provide any details about who is exploiting the vulnerabilities, nor to what end, but we know that commercial spyware and government-sponsored attackers like to exploit these types of mobile device [3]zero-days for snooping purposes .
[4]
[5]
On Tuesday, the US Cybersecurity and Infrastructure Security Agency added both CVE-2025-48633 and CVE-2025-48572 to its its [6]Known Exploited Vulnerabilities (KEV) Catalog , requiring federal agencies to patch by December 23 and “strongly” urging all organizations to do the same “to reduce their exposure to cyberattacks.”
This latest zero-day follows an emergency patch that Google issued last month for a [7]high-severity Chrome bug that attackers have already found and exploited in the wild.
[8]
That vulnerability, tracked as [9]CVE-2025-13223 , is a type confusion flaw in the V8 JavaScript engine, and it marked the seventh Chrome zero-day this year. All have since been patched.
[10]Google Chrome bug exploited as an 0-day - patch now or risk full system compromise
[11]Fortinet 'fesses up to second 0-day within a week
[12]Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware
[13]Miscreants are exploiting enterprise tech zero days more and more, Google warns
Seven bugs achieved a critical-severity rating in the Android December patch marathon. Google says the most serious of these is CVE-2025-48631, also in the framework component, which "could lead to remote denial of service with no additional execution privileges needed."
There are also four critical escalation-of-privilege bugs in the kernel (CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638), plus two critical vulnerabilities (CVE-2025-47319, CVE-2025-47372) affecting Qualcomm closed-source components.
According to Qualcomm's [14]security advisory , CVE-2025-47319 can allow "information disclosure while exposing internal TA-to-TA communication APIs to HLOS." CVE-2025-47372, a critical buffer overflow flaw, occurs when a corrupted ELF image with an oversized file is read into a buffer without authentication.
Get patching on all of these 107 Android device security issues now - because Microsoft and friends will probably push even more updates during this month's Patch Tuesday event on December 9. ®
Get our [15]Tech Resources
[1] https://source.android.com/docs/security/bulletin/2025-12-01
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[7] https://www.theregister.com/2025/11/18/google_chrome_seventh_0_day/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://nvd.nist.gov/vuln/detail/CVE-2025-13223
[10] https://www.theregister.com/2025/11/18/google_chrome_seventh_0_day/
[11] https://www.theregister.com/2025/11/19/fortinet_confirms_second_fortiweb_0day/
[12] https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
[13] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[14] https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html
[15] https://whitepapers.theregister.com/
The two vulnerabilities are CVE-2025-48633, an information-disclosure flaw in Android's framework component, and CVE-2025-48572, an elevation-of-privilege bug also in the framework component. Both are ranked high severity, and according to Google, both "may be under [1]limited, targeted exploitation ."
Both of these – plus an additional 105 security holes – all have patches, so it's a good idea to update your Android software ASAP.
[2]
Google didn't provide any details about who is exploiting the vulnerabilities, nor to what end, but we know that commercial spyware and government-sponsored attackers like to exploit these types of mobile device [3]zero-days for snooping purposes .
[4]
[5]
On Tuesday, the US Cybersecurity and Infrastructure Security Agency added both CVE-2025-48633 and CVE-2025-48572 to its its [6]Known Exploited Vulnerabilities (KEV) Catalog , requiring federal agencies to patch by December 23 and “strongly” urging all organizations to do the same “to reduce their exposure to cyberattacks.”
This latest zero-day follows an emergency patch that Google issued last month for a [7]high-severity Chrome bug that attackers have already found and exploited in the wild.
[8]
That vulnerability, tracked as [9]CVE-2025-13223 , is a type confusion flaw in the V8 JavaScript engine, and it marked the seventh Chrome zero-day this year. All have since been patched.
[10]Google Chrome bug exploited as an 0-day - patch now or risk full system compromise
[11]Fortinet 'fesses up to second 0-day within a week
[12]Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware
[13]Miscreants are exploiting enterprise tech zero days more and more, Google warns
Seven bugs achieved a critical-severity rating in the Android December patch marathon. Google says the most serious of these is CVE-2025-48631, also in the framework component, which "could lead to remote denial of service with no additional execution privileges needed."
There are also four critical escalation-of-privilege bugs in the kernel (CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638), plus two critical vulnerabilities (CVE-2025-47319, CVE-2025-47372) affecting Qualcomm closed-source components.
According to Qualcomm's [14]security advisory , CVE-2025-47319 can allow "information disclosure while exposing internal TA-to-TA communication APIs to HLOS." CVE-2025-47372, a critical buffer overflow flaw, occurs when a corrupted ELF image with an oversized file is read into a buffer without authentication.
Get patching on all of these 107 Android device security issues now - because Microsoft and friends will probably push even more updates during this month's Patch Tuesday event on December 9. ®
Get our [15]Tech Resources
[1] https://source.android.com/docs/security/bulletin/2025-12-01
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[7] https://www.theregister.com/2025/11/18/google_chrome_seventh_0_day/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS9vk9cqRvlRw8PBHa_E9wAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://nvd.nist.gov/vuln/detail/CVE-2025-13223
[10] https://www.theregister.com/2025/11/18/google_chrome_seventh_0_day/
[11] https://www.theregister.com/2025/11/19/fortinet_confirms_second_fortiweb_0day/
[12] https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
[13] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[14] https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html
[15] https://whitepapers.theregister.com/
Does this matter?
Ken Hagan
It seems that phones go out of support every other month (depending on vendor and model) and if you stopped 100 people in the street and asked them whether their phone was up-to-date probably only half a dozen could give you an accurate answer. Of the same group, how many are doing banking and shopping payments on that device? Apparently almost no-one cares.
Contrast with the situation on PCs where the imminent demise of Win10 support was headline news and loads of people fretted over whether it was safe to use their PC if they didn't upgrade.
So where is the truth here? Are most phones recklessly unsafe, or do we worry needlessly about our PCs, or is there a technical reason why it is OK to do financial transactions on a phone but not a PC?
(I was asked this recently and while my gut feeling leans towards the first option, I am genuinely in some doubt because the rest of the world seems to favour the other two and the sky has not fallen in.)
Have to be patient
The article makes it sound as if the users have control and can just go update their devices, when in reality of course they are more often than not in a situation where they have to wait for their carrier or device manufacturer to release the updates(assuming they release them at all).
I know El reg knows this as well, which is why the tone of the article was rather odd to me.
For me, I will upgrade to Android 15 soon on my S24 Ultra. Samsung has underestimated my ability to dismiss their upgrade notifications 5-6x per day every day the past 6 months, and unlike security updates, upgrades cannot be forced on devices(well at least not on my device after I set some setting that I forgot what setting it was now).
Samsung also underestimates my ability to dismiss their requests for me to agree to their new privacy policy ("in order to get access to the latest offers and perhaps AI stuff")!
I am generally pretty careful what I use my phone for though, such as disabling auto MMS download, I really don't use it for any payments, or buying online(unless it's a last resort), I use my computer for that stuff.
I'd be happier if rather than major version upgrades to just get the security patches for as long as a particular version of Android is supported, and only when support is gone entirely upgrade to the next version. Reality is of course most carriers(perhaps manufacturers too) I think abandon the older versions the moment a new version comes out. So for example I am on Android 14, which from what I can see still gets security updates from Google, but those updates don't get to me since my carrier/manufacturer wants me to upgrade to 15 instead.