Android December 2025 Security Bulletin Patches Two In-The-Wild Zero‑Day Exploits

Google’s December 2025 Android security update patches more than one hundred vulnerabilities, including two actively exploited zero‑day flaws that enable remote code execution and privilege escalation on a broad range of supported devices. This release closes several high‑impact attack chains combining media framework, kernel and firmware bugs, and underscores the continued importance of timely over‑the‑air updates and robust supply‑chain coordination between Google, SoC vendors, and OEMs.

Overview of the December 2025 Bulletin

The December 2025 Android security bulletin addresses over one hundred CVEs across the framework, system, media components, kernel, Arm and Qualcomm firmware, and Google Pixel‑specific features. The patch set is split into the usual security patch levels, with the initial level covering core framework and system components, and the later level integrating vendor and SoC fixes suitable for full‑stack device images. This structure allows OEMs to adopt a baseline level of security while they finalize integration of chipset and proprietary driver updates.

Actively Exploited Zero‑Day Vulnerabilities

Two vulnerabilities in this release are identified by Google as potentially or confirmed actively exploited in the wild. One resides in the Android system or framework layer and allows an application or remote content to achieve code execution with elevated privileges, bypassing standard sandboxing. The other affects a low‑level component such as the kernel or firmware, enabling an attacker to escalate privileges, compromise the trusted computing base, or escape containerization once an initial foothold has been gained.

Based on Google’s historical classification, the first zero‑day is likely reachable via common attack surfaces such as WebView, media parsing, or IPC interfaces exposed to less‑trusted apps. The second is expected to be useful for local privilege escalation after a successful initial compromise, for example chaining a browser or messaging‑app bug with a kernel or driver flaw to obtain full device control and persistent access to user data.

Attack Surface and Exploitation Scenarios

The primary attack surfaces implicated by the December 2025 patches include the media framework, file and content parsers, kernel subsystems, and vendor‑specific hardware abstraction layers. Attackers typically begin with a memory corruption or logic bug reachable from untrusted input, such as crafted multimedia files, web content, or messages delivered through popular apps. Once code execution in an app sandbox is achieved, an in‑kernel or privileged service vulnerability is used to escape confinement, disable SELinux policies or security controls, and gain access to key material and system partitions.

In practical exploitation scenarios, the zero‑days can support both targeted and opportunistic campaigns. For example, a threat actor might use a drive‑by web exploit to trigger a WebView or media parsing bug, then leverage the kernel vulnerability to install a spyware implant with root privileges, surviving reboots and hiding its presence from user‑space antivirus tools. Enterprise mobile device management environments are also at risk if compromised devices can access corporate resources, as attackers can pivot from a rooted handset into internal services over VPN or Wi‑Fi.

Technical Characteristics of Patched Bugs

The vulnerabilities closed in this update span classic memory corruption issues and higher‑level logic flaws. In memory‑unsafe components such as native media libraries and some HAL implementations, issues include heap and stack buffer overflows, use‑after‑free conditions, out‑of‑bounds reads and writes, and integer overflows leading to incorrect allocation sizes. These issues allow attackers to craft inputs that corrupt control structures, overwrite return addresses or function pointers, and eventually hijack execution flow.

Logic and design flaws in higher‑level code can be equally dangerous. Examples include improper permission checks in system services, incorrect enforcement of SELinux or binder policies, unsafe exposure of privileged intents or broadcast receivers, and weaknesses in data deserialization that lead to object injection or type confusion. In some cases, attackers can exploit race conditions between permission verification and resource access, or abuse misconfigured debug interfaces that remain enabled in release builds.

Impact on Device Security and User Privacy

Successful exploitation of the patched zero‑days and related vulnerabilities can result in full compromise of device confidentiality, integrity, and availability. With elevated privileges, an attacker can access SMS messages, messaging‑app content, emails, photos, location history, authentication tokens, and stored credentials. They can also silently enable microphones and cameras, install or remove apps, and tamper with security settings such as device encryption or screen‑lock policies.

For enterprise deployments, the impact extends to corporate data stored or accessed via mobile devices. Compromised handsets can leak VPN credentials, cached Single Sign‑On tokens, and application secrets used to authenticate to internal APIs. Attackers who achieve kernel‑level control can additionally bypass root‑of‑trust mechanisms, manipulate integrity checks, and interfere with mobile threat defense tooling intended to detect malicious behavior.

Mitigation, Patching, and Deployment Challenges

The primary mitigation for these vulnerabilities is timely installation of the December 2025 security update or the corresponding OEM firmware updates that bundle the relevant patches. Devices in the Pixel family and some Android One or flagship models typically receive updates quickly, while a substantial portion of the broader Android ecosystem faces delays due to vendor customization, carrier certification, and fragmentation across model lines and regions.

Organizations using Android devices for business purposes should enforce minimum patch levels via mobile device management policies, preventing devices without the December 2025 patches from accessing sensitive resources. Where immediate updates are not possible, hardening measures include constraining installation of unvetted apps, limiting access to high‑risk browsing or messaging channels, and using application sandboxing or virtualization technologies that reduce exposure of corporate workloads to the base operating system.

Hardening Recommendations and Detection Strategies

Security teams should update mobile endpoint detection and response solutions with new behavioral rules to identify signs of exploitation targeting media frameworks, browser components, and kernel subsystems. Indicators include unexpected crashes of system processes, anomalous binder or system call patterns, sudden changes in SELinux enforcement state, and the presence of binaries or scripts in typically immutable directories.

Additional hardening steps include tightening app permission policies, auditing the use of accessibility services, and restricting the ability of user applications to execute native code or load arbitrary shared libraries where feasible. Network‑level monitoring can help detect command‑and‑control traffic from compromised devices, particularly when attackers attempt to exfiltrate large volumes of data or maintain long‑lived encrypted connections to uncommon endpoints.

Implications for the Android Vulnerability Landscape

The presence of multiple actively exploited zero‑day vulnerabilities in a single monthly update continues a broader trend in which mobile platforms remain a prime target for both criminal and nation‑state threat actors. The complexity of the Android ecosystem, with its mix of open‑source components, proprietary drivers, and OEM customizations, contributes to a large and evolving attack surface that demands continuous research and rapid response.

The December 2025 bulletin reinforces several long‑standing lessons: memory‑unsafe code in performance‑critical paths remains a key source of severe bugs, strict defense‑in‑depth mechanisms are necessary to contain exploitation when individual layers fail, and coordinated disclosure and patch distribution remain central to limiting the window of exposure for end users and organizations.

Microsoft December 2025 Patch Outlook Highlights Ongoing Zero‑Day Risk And Platform Transition

The forecast for the December 2025 Microsoft Patch Tuesday indicates a moderate volume of fixes across Windows client and server platforms, Office, and server applications, following a month that already included exploitation of a Windows kernel zero‑day and a widely discussed shortcut‑handling vulnerability. Organizations face a dual challenge of deploying these patches while managing the end‑of‑support transition for multiple Microsoft products and the debut of Windows 10 Extended Security Updates.

Context: November Zero‑Day And ESU Introduction

In November, Microsoft addressed a Windows kernel elevation of privilege vulnerability identified as CVE‑2025‑62215, which had been observed under active exploitation. Successful exploitation allowed attackers to escalate local privileges, often as part of multi‑stage intrusion chains that began with phishing or remote code execution in userland applications. In the same time frame, Microsoft delivered the first wave of Extended Security Updates for Windows 10 version 22H2, marking the beginning of a paid support phase for organizations that continue to rely on this platform.

This overlap of a live kernel zero‑day and the start of ESU underscores the risk for enterprises that delay migration while attempting to maintain operational compatibility. Systems that are not enrolled in ESU and remain on unsupported versions become increasingly attractive targets due to predictable unpatched vulnerabilities and public awareness of their lifecycle status.

Expected Scope Of December 2025 Updates

The December Patch Tuesday release is expected to resemble November in overall scale, with updates for Windows 10 LTSC editions, Windows 11, and supported Windows Server versions from 2016 through 2025. The patch set is likely to include a mix of critical and important vulnerabilities, particularly in core components such as the Windows kernel, graphics and networking stacks, and common services used across client and server SKUs.

On the application side, Microsoft 365 Apps are anticipated to receive fixes for multiple vulnerabilities, some of which may be rated critical when they enable code execution through document parsing, scripting, or integration with external content. SharePoint Server and SQL Server updates categorized as important will likely focus on privilege boundaries within server processes, injection risks, and authentication or encryption weaknesses in their network interfaces.

Ongoing Fixes For Shortcut Handling And XAML Components

Alongside the regular security bulletins, Microsoft has been iterating on corrections to a vulnerability in the handling of Windows shortcut files with the .LNK extension. Exploitation of this class of bugs often involves embedding malicious shortcuts in archives or removable media, which then trigger arbitrary code execution when rendered by Explorer or other shell components. Earlier in the year, third‑party researchers detailed how subtle changes to shortcut resolution can break or bypass mitigations, prompting both out‑of‑band protections and gradual hardening within Windows itself.

Microsoft has also been addressing issues affecting XAML‑dependent applications, including Explorer and the Start menu, that manifested as crashes or unexpected termination on some enterprise configurations. While a late‑November preview update mitigated the main symptoms, side effects such as screen flashing in dark mode with File Explorer still required further refinement. These fixes are operationally significant, as stability problems in core shell components can delay security patch rollouts when administrators fear user‑facing disruptions.

End‑Of‑Support Pressures And ESU Operationalization

The end of 2025 marks the formal conclusion of support for several Microsoft operating systems and applications, with fewer last‑minute extensions than in prior cycles. Many organizations must therefore decide between accelerated migration projects, selective adoption of ESU for critical Windows 10 systems, or acceptance of increased risk on legacy platforms. From a security operations perspective, this transition complicates patch management, as different segments of the environment may be governed by distinct update channels and eligibility criteria.

Implementing ESU at scale involves more than license purchase. Enterprises need to verify that eligible systems are running the required 22H2 baseline, ensure that update infrastructure such as WSUS or configuration management tools can distribute ESU content, and monitor compliance for machines that may be intermittently connected or located in constrained network segments. Failure in any of these areas can leave pockets of vulnerable machines that adversaries can leverage as beachheads.

Third‑Party Patch Alignment: Browsers And Productivity Software

December’s Microsoft patches are expected to coincide with security releases from other major vendors. Google’s Chrome browser is anticipated to reach a new stable version that incorporates fixes tested in recent beta builds, addressing vulnerabilities in the V8 JavaScript engine, graphics subsystems, and inter‑process communication layers. Mozilla has tended to align major Firefox security updates with Patch Tuesday, simplifying coordinated browser lifecycle management for enterprises.

Adobe products show a different pattern, with many Creative Cloud applications updated the previous month, reducing the likelihood of high‑volume December patches in that area. However, Acrobat and Reader are due for a significant update, often involving corrections for PDF parsing vulnerabilities that attackers can target with crafted documents. Synchronizing deployment of these updates with Microsoft’s releases allows security teams to remediate multiple attack surfaces in a single maintenance window.

Risk Management And Prioritization Strategy

Given the anticipated breadth of fixes and the ongoing discovery of zero‑days, organizations should prioritize vulnerabilities that are known exploited, remotely reachable without user interaction, or located in high‑exposure components such as domain controllers, public‑facing web servers, and mail gateways. Kernel‑level privilege escalation flaws should also rank highly, as they can be paired with a wide variety of initial access vectors.

A practical approach is to define a fast‑track patching group that includes internet‑facing systems, remote access infrastructure, and management servers, with a strict objective to deploy critical fixes within days. Less exposed or operationally sensitive systems can follow a staged rollout, incorporating additional testing for compatibility with specialized applications, drivers, and middleware.

Operational Considerations For Deployment

Before deploying December updates, administrators should validate backups for critical systems, confirm the availability of tested rollback procedures, and review known‑issues documentation for interactions with device drivers, security agents, or line‑of‑business applications. Particular attention should be paid to environments that rely heavily on virtual desktop infrastructure, where changes to graphics, profile handling, or shell behavior may impact user experience at scale.

After rollout, telemetry from endpoint detection tools, Windows event logs, and application performance monitoring platforms should be reviewed for anomalous spikes in crashes, authentication failures, or resource usage. Any instability associated with the new patches must be weighed against the risk of withholding them, especially when public exploit code or active attack campaigns are likely to emerge shortly after disclosure.

Strategic Implications For Enterprise Security Programs

The pattern of recurring zero‑day exploitation in core Windows components emphasizes the need for layered defense strategies that assume periodic patch gaps. Technology such as application control, credential protection, privileged access management, and exploit mitigation frameworks can reduce the impact of delayed patches or the window between disclosure and deployment.

The December cycle also illustrates how lifecycle management, licensing decisions, and infrastructure modernization are tightly coupled with vulnerability management. Organizations that invest early in platform upgrades, standardized images, and automated patch orchestration will be better positioned to absorb future zero‑day events without disruptive emergency changes or prolonged exposure.