As part of the June 2026 Android Security Bulletin, Google has fixed 124 vulnerabilities, one of which — CVE-2025-48595 — is already being actively exploited by attackers. The vulnerability enables privilege escalation on devices running Android 14, 15, 16, and 16 QPR2 without any user interaction. Owners of affected devices should install the security updates as soon as possible.
Technical details of CVE-2025-48595
The vulnerability affects the Android operating system’s Framework component. According to the entry in the CVE registry, the root cause is an integer overflow present in several parts of the code. Exploiting this flaw makes it possible to execute arbitrary code followed by local privilege escalation.
Key characteristics of the vulnerability:
- CVE ID: CVE-2025-48595 (NVD)
- CVSS score: 8.4 (high severity)
- Type: local privilege escalation (Local Privilege Escalation)
- Vector: integer overflow leading to code execution
- User interaction: not required
- Additional privileges required for exploitation: not required
- Affected versions: Android 14, Android 15, Android 16, Android 16 QPR2
- Exploitation status: confirmed active exploitation in real-world attacks
The absence of any need for user interaction or additional privileges makes this vulnerability particularly dangerous. An attacker only has to deliver malicious code to the device — the subsequent exploitation chain then triggers automatically.
Scope of the update and patch structure
Google has released two security patch levels:
- 2026-06-01 — a baseline set of patches including fixes for the Framework and System components
- 2026-06-05 — an extended set containing all fixes from the first level, plus patches for the kernel and chipset vendor components: Imagination Technologies, MediaTek, Qualcomm and Unisoc
In addition to CVE-2025-48595, a number of vulnerabilities have been fixed in the System component, the most serious of which also allow local privilege escalation without additional execution rights. The total of 124 closed vulnerabilities indicates large-scale work to strengthen the security of the platform.
Impact assessment
The range of affected versions — from Android 14 to Android 16 QPR2 — means that a significant share of the active Android device base is at risk. Google has confirmed signs of “limited, targeted exploitation” of CVE-2025-48595, without disclosing details about specific attackers, victims, or the scope of the campaign.
The nature of the vulnerability — privilege escalation without user interaction via an integer overflow in a core Framework component — makes it an attractive tool for targeted attacks against specific individuals. Such vulnerabilities are most valuable in pinpoint operations where stealth and minimal victim involvement are critical.
Recommendations
To minimize risk, the following is recommended:
- Install the security update with a patch level of at least 2026-06-05 — it includes the full set of fixes, including for kernel and chipset components. You can check the current level under “Settings → About phone → Android version / Security update”.
- For devices that have not yet received a vendor update — restrict installation of apps from third-party sources and minimize the use of privileged functions until the patch is available.
- For administrators of corporate device fleets — prioritize rollout of the June update via mobile device management (MDM) systems, especially for devices with access to confidential data.
- Monitor the availability of updates from device manufacturers (Samsung, Xiaomi, OnePlus, etc.), who integrate AOSP patches into their own firmware with delays ranging from several days to a few weeks.
Given the confirmed active exploitation of CVE-2025-48595 and the lack of any requirement for user interaction, installing the June Android security update should be treated as a priority task. Devices running Android 14–16 QPR2 that have not received the 2026-06-05 patch level remain vulnerable to attacks that have already been observed in real-world conditions.
