Google patches actively exploited Android zero-day (CVE-2025-48595)

On 2 June 2026, Google released its June 2026 Android security update, fixing 124 vulnerabilities — including CVE-2025-48595, a high-severity flaw in the Android Framework that the company warned "may be under limited, targeted exploitation." It is the one zero-day in this month's batch known to be abused in the wild.

What happened

CVE-2025-48595 is an integer-overflow issue (CWE-190) in the Android Framework that allows a local attacker to escalate privileges on an affected device without any user interaction. The bug affects devices running Android 14, 15 and 16. Google did not disclose who reported the flaw or how it is being exploited, and its "limited, targeted" phrasing typically signals attacks aimed at a narrow set of high-value individuals — journalists, dissidents, officials or executives — rather than mass consumer targeting.

The fixes ship through two security patch levels, 2026-06-01 and 2026-06-05, with the later level incorporating all of the month's fixes. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog on 2 June 2026, requiring federal civilian agencies to patch by 5 June 2026 under Binding Operational Directive 22-01.

Why it matters

A privilege-escalation flaw that needs no user interaction is a prized building block for mobile spyware, which typically chains an initial-access exploit with an elevation bug to seize full control of a handset. Because the Android Framework component spans the broad Android 14–16 install base, the window between disclosure and patch adoption — historically slow across the fragmented Android device fleet — leaves millions of phones exposed until manufacturers ship the June update downstream.