According to Forbes, Google confirmed on Wednesday, December 4, 2025, that it has started rolling out a critical monthly software update for all supported Pixel devices running Android 16. This urgent patch addresses two specific vulnerabilities in Android’s core framework, tracked as CVE-2025-48633 and CVE-2025-48572, which are already “under limited, targeted exploitation” and can enable remote denial of service attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding order, mandating all federal employees to apply this update by December 23 or power down their devices. Google, Samsung, and CISA have all acted with notable speed in response to the confirmed attacks, highlighting the severity of the threat. The update is part of a larger December security patch, but these two flaws are the highlighted, actively exploited ones.
Pixel advantage meets real danger
Here’s the thing: this situation perfectly illustrates the double-edged sword of Android updates. On one hand, it shows the clear advantage Google Pixel users have. They’re all getting this fix pushed out starting right now, and it’ll install seamlessly in the background. That’s a huge win when the clock is ticking. But on the other hand, it’s a stark reminder that these core framework vulnerabilities affect everyone on Android. The fact that CISA felt the need to issue a “patch or power down” directive for government phones tells you this isn’t some theoretical risk. It’s real, and it’s happening now.
update-problem”>The Samsung update problem
And then there’s everyone else. The report points out the Samsung story is “very different.” Their rollout will drag on through the entire month of December, leaving many users exposed while Pixel owners are already covered. Even owners of expensive Samsung flagships—unless they have the very latest Galaxy S25—don’t get those seamless updates. They still face the old, slow, and disruptive installation process. So you’ve got a confirmed attack in the wild, and a huge segment of the Android user base is just stuck waiting. That fragmentation problem isn’t just an inconvenience anymore; in weeks like this, it’s a genuine security liability.
What you need to do
So, what’s the takeaway? If you’re a federal employee, you literally have a deadline: December 23. Update by then or turn your phone off. But honestly, given that attacks are confirmed, that’s a good timetable for every Pixel user to follow. Don’t wait. Go to your Settings, check for the system update, and install it. You can find the official details on Google’s support page and the broader Android security bulletin. CISA’s warning is in their Known Exploited Vulnerabilities catalog. This is one of those updates you just don’t ignore. Basically, treat your phone like a critical piece of infrastructure—because right now, that’s exactly what it is.
