Google has released its June 2026 Android security bulletin addressing 124 vulnerabilities, with one flaw already under active exploitation in what the company describes as limited, targeted attacks. The vulnerability, tracked as CVE-2025-48595, carries a CVSS score of 8.4 and affects Android versions 14, 15, 16, and Android 16 QPR2. Google confirmed the flaw is being exploited in the wild but has not disclosed attribution, victim counts, or delivery methods.
The vulnerability stems from an integer overflow in the Android Framework that enables code execution and privilege escalation. An attacker can exploit the flaw to gain elevated system access without requiring additional privileges or user interaction. The flaw is local in nature and resides in one of the most sensitive layers of the operating system, making it particularly valuable for sophisticated attack chains.
Security researchers believe the most likely exploitation scenario involves a malicious application that abuses the vulnerability after installation to gain elevated privileges and potentially full device control. This capability profile aligns with tools used by commercial spyware vendors and state-sponsored operations. Previous Android vulnerabilities described with similar language have been linked to surveillance campaigns targeting journalists, political figures, dissidents, executives, and government officials, though no public evidence currently connects CVE-2025-48595 to a specific threat actor.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog on June 2, 2026, mandating that Federal Civilian Executive Branch agencies remediate the flaw by June 5, 2026. Beyond this critical issue, Google patched additional privilege escalation vulnerabilities in the Android System component. The company released two patch levels: 2026-06-01 and 2026-06-05, with the latter including all fixes from the first release plus updates for the Linux kernel and third-party chipset components from Qualcomm, MediaTek, Unisoc, and Imagination Technologies.
Android's fragmented update model remains a significant challenge for timely patching. While Pixel devices receive updates immediately, other manufacturers require additional testing and customization before distribution, potentially leaving users exposed for weeks or months after patch release. Organizations and individuals using affected Android versions should apply available security updates immediately, prioritize devices used by high-value personnel, and review installed applications for suspicious behavior. Users unable to update immediately should avoid installing applications from untrusted sources and consider restricting device usage for sensitive communications until patches can be applied.
Source: https://securityaffairs.com/193057/breaking-news/google-patches-actively-exploited-android-flaw-affecting-millions-of-devices.html