December 2025 Android Security Bulletin drops ahead of Pixel Feature Drop, detailing dozens of fixes

Google is gearing up for one of the biggest Pixel software releases of the year, the December 2025 Pixel Feature Drop, arriving alongside the stable Android 16 QPR2 update, and the company has now published the December 2025 Android Security Bulletin, confirming the full list of vulnerabilities set to be patched on all supported Pixel devices starting this week.

While monthly patches typically outline common security fixes for Android partners, the December bulletin is always more notable because it often doubles as a preview of what’s shipping in the major end-of-year Pixel update. This year is no exception: Google has published an unusually large list touching nearly every layer of the Android stack, giving Pixel owners an early look at what’s addressed in the upcoming Pixel security update.

Critical Framework bug leads this month’s patches

The bulletin’s headline fix is a critical vulnerability in the Framework component (CVE-2025-48631) that could allow a remote attacker to trigger a denial-of-service (DoS) attack without requiring any execution privileges. The flaw impacts Android 13 through Android 16, meaning every supported Pixel model is covered.

Google says the severity rating reflects the potential impact if platform mitigations are disabled or bypassed, but notes that Android’s multilayer defenses such as sandboxing and Google Play Protect greatly reduce the real-world likelihood of exploitation.

Two other Framework vulnerabilities, CVE-2025-48633 and CVE-2025-48572, are marked as being under “limited, targeted exploitation”. Both are classified as information disclosure (ID) flaws across all recent Android versions, which Google warns partners about early under coordinated vulnerability disclosure.

Massive list of Framework & System fixes coming to Pixels

Beyond the critical bug, Google lists over 50 Framework-level vulnerabilities, almost all rated High severity. These include multiple escalation of privilege (EoP), information disclosure, and DoS issues affecting Android versions 13 through 16.

A few highlights:

• Multiple EoP flaws (e.g., CVE-2025-48565, CVE-2025-48617, CVE-2025-48620) fixed across every OS version currently supported.
• Several denial-of-service vulnerabilities impacting Android 16 specifically, including CVE-2025-48584 and CVE-2025-48607.
• More targeted version coverage, such as fixes only for older branches like Android 13 and 14.

On the System side, the patch list also includes more than a dozen high-severity EoP and ID vulnerabilities, with CVE-2025-48536, CVE-2025-48575, CVE-2025-48612, and more impacting all active AOSP branches. Again, Pixel users should see all of these rolled into the December 2025 Pixel security update.

Android 16 kernel patches include multiple critical pKVM vulnerabilities

The 2025-12-05 patch level contains fixes that will ship specifically on Google’s Pixel update, including several critical kernel-level vulnerabilities, namely CVE-2025-48623, CVE-2025-48637, and CVE-2025-48638. All three are local EoP vulnerabilities affecting pKVM, the protected hypervisor used in Android virtualization. Another critical kernel issue, CVE-2025-48624, impacts the IOMMU subsystem.

These are the types of low-level vulnerabilities Google typically prioritizes for Pixels and Tensor-powered devices, especially as virtualization and secure computing become core to Android’s security posture. Upstream kernel patches also include high-severity issues affecting networking, epoll, and the KVM stack, spread across dozens of commits.

The bulletin also confirms the latest Linux kernel LTS update requirements, including an update to kernel 5.4.292 for devices that launched on Android 12 with 5.4 kernels. While relevant mostly for OEMs, it’s also a reminder of Google’s strict kernel update policies that affect Pixel support windows.

Vendor component fixes for Arm, Imagination, MediaTek, Unisoc & Qualcomm

The December bulletin wraps up with fixes provided by silicon vendors. These will apply differently depending on device hardware, but for Pixel owners, Qualcomm items are especially relevant.

Highlights include:

Arm Mali GPU:

• Two high-severity GPU issues (CVE-2025-6349, CVE-2025-8045).

PowerVR GPU:

• Multiple high-severity vulnerabilities affecting Imagination’s PowerVR lineup.

MediaTek, Unisoc:

• Large lists of High-severity modem and IMS service vulnerabilities for OEMs using these chipsets.

Qualcomm components:

• Three high-severity kernel/bootloader vulnerabilities.
• Seven additional critical or high vulnerabilities in Qualcomm’s closed-source components (likely irrelevant to Pixels, which use Google Tensor but still contain Qualcomm-based wireless/communication components).

What this means for the Pixel December Feature Drop

The publication of this bulletin confirms that Google is in the final countdown toward releasing Android 16 QPR2 stable update, the December 2025 Pixel Feature Drop, and the December Pixel security patch (2025-12-05).

Historically, Google ships the Feature Drop on the first Monday or Tuesday of every month, and the bulletin’s publication aligns with that timeline. Granted, Pixel owners should expect:

• A sizeable update package thanks to these numerous Framework/System/kernel fixes
• Additional bug fixes specific to Pixel devices (to be detailed in the Pixel Update Bulletin)
• Several new Pixel features as part of the Feature Drop

Google will also update the bulletin with AOSP links within 48 hours once source patches are uploaded.

For now, the December 2025 Android Security Bulletin shows that Google is addressing a significant chunk of vulnerabilities, including several critical, actively exploited issues, across the entire Android stack. With the stable Android 16 QPR2 and December Feature Drop just around the corner, Pixel owners should prepare for one of the most important updates of the year.

The full Pixel patch notes and Feature Drop announcements should land very soon, and we’ll cover those as they roll out.