CVE-2025-48633

What is Android Framework?

The Android Framework is the core Java/Kotlin API layer that all Android applications use to interact with the operating system. It provides app lifecycle management, inter-process communication (IPC) via Binder, content providers for cross-app data sharing, permission enforcement, and access to system services (camera, location, contacts, telephony, etc.). The Framework is the primary enforcement layer for Android's application sandbox, which isolates apps from each other and from the OS. A vulnerability that bypasses Framework-level access control allows a malicious app to read data belonging to other apps or system services — potentially exposing authentication tokens, cryptographic keys, contacts, messages, or device identifiers.

Overview

CVE-2025-48633 is an information disclosure vulnerability in the Android Framework that allows a locally installed application running with standard user privileges to read sensitive data outside its sandbox boundary. Google confirmed at release time that both CVE-2025-48633 and the companion CVE-2025-48572 (a Framework privilege escalation) were under "limited, targeted exploitation" — unusually candid language that indicates active use in real-world attacks, typically by commercial spyware vendors or state-sponsored actors. CISA added both CVEs to the KEV catalog the day the bulletin was released, setting a 21-day federal remediation deadline.

Affected Versions

Devices showing "Security patch level: December 1, 2025" or later are protected for the Framework-layer fix. The 2025-12-05 patch level covers additional kernel and vendor component patches.

Technical Details

Google's December 2025 bulletin classifies CVE-2025-48633 as an information disclosure in the Framework component. The precise technical mechanism is withheld pending broad patch deployment — consistent with Google's responsible disclosure practice. Based on the CVSS vector and exploitation pattern:

• Local attack vector — a malicious application must be installed on the device; no remote delivery without a companion exploit.
• Low-privilege attacker — a standard user-level app can trigger the vulnerability without root or system permissions.
• High confidentiality impact — the flaw allows reading sensitive data that the attacking app should not be able to access: this may include memory addresses (valuable for defeating ASLR), authentication tokens, or data from other apps exposed through a Framework service.

CVE-2025-48633 was exploited in combination with CVE-2025-48572 (a privilege escalation in the same bulletin). The likely chain: CVE-2025-48633 discloses memory layout information to defeat kernel address space layout randomization (KASLR), while CVE-2025-48572 uses that information to achieve privilege escalation. Together, the pair enables full device compromise from a sandboxed app.

The December 2025 Android bulletin addressed 107 vulnerabilities across Framework, System, Kernel, and hardware drivers — these two were the only confirmed zero-days.

Discovery

No external researcher is publicly credited in Google's advisory. The confirmation of "limited, targeted exploitation" at the time of bulletin release is consistent with Google's Threat Analysis Group (TAG) identifying active exploitation during routine threat intelligence monitoring, rather than receiving an external report prior to exploitation.

Exploitation Context

Google's advisory language — "there are indications that CVE-2025-48633 may be under limited, targeted exploitation" — is Google's standard phrasing for confirmed zero-day exploitation in active campaigns, typically by commercial spyware operators or state-sponsored APTs. CISA added it to the KEV catalog concurrently with the bulletin on December 2, 2025, setting a December 23 deadline for federal civilian agencies.

The targeting profile (limited, targeted) is consistent with commercial surveillance tools (NSO Group/Pegasus, Intellexa/Predator, and similar) that exploit mobile zero-days to target journalists, human rights workers, government officials, and political dissidents. The local attack vector means delivery typically involves tricking the victim into installing a malicious app or exploiting a browser/app vulnerability to achieve initial sandboxed code execution, then chaining to CVE-2025-48572 for full compromise.

Remediation

1. Apply the Android December 2025 Security Update (patch level 2025-12-01 or later). OEM availability varies by manufacturer and device model.
2. On Google Pixel devices, apply the December 2025 update immediately through Settings → Security & Privacy → System & Updates → Security update.
3. If your device manufacturer has not released the December 2025 patch, consider whether the device is still receiving security updates and whether migration to a supported device is warranted.
4. Enable Google Play Protect and avoid installing apps from outside the Play Store.
5. For individuals at elevated risk: consider using a Pixel device (fastest patch delivery), minimize installed apps, and treat any unexpected app behavior as a potential indicator of compromise.
6. Review app permissions and revoke any that are broader than necessary — limiting installed apps' privilege surface reduces the exposure window.