In its latest Android Security Bulletin, Google disclosed 107 zero-day vulnerabilities affecting elements of its mobile operating system and any system relying on the open source version of it, Android Open Source Project (AOSP).
The advisory, published on December 1, included patches for 51 flaws – 37 affecting the Android framework and 14 defects affecting the system – with the rest to be shared on December 5.
Out of the 51 patched flaws, three are of particular significance.
Two of them, tracked as CVE-2025-48633 and CVE-2025-48572, “may be under limited, targeted exploitation,” said Google.
Both are classified as information disclosure (ID) issues in the Android framework with high severity ratings. They both affect Android 13, 14, 15 and 16.
When exploited, CVE-2025-48633 allows unauthorized disclosure of information and CVE-2025-48572 enables attackers to gain elevated access on vulnerable devices.
Neither has been added to the US Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
The advisory also includes a critical security vulnerability in the Android Framework that could lead to remote denial of service with no additional execution privileges needed. This flaw is tracked as CVE-2025-48631.
The rest of the patches will be released on December 5.
These patches will account for 56 vulnerabilities affecting Android components in the kernel, or third-party components, like Arm, Imagination Technologies, MediaTek, Qualcomm and Unison.