Google has released its June 2026 Android security update, addressing 124 vulnerabilities, including one actively exploited zero-day. The zero-day — CVE-2025-48595 — is an integer overflow vulnerability in the Android Framework that allows local attackers to escalate privileges on affected devices without requiring user interaction.
CVE-2025-48595 is classified as a high-severity integer overflow (CWE-190) in the Android Framework — the set of APIs and system services that applications interact with directly. An integer overflow occurs when an arithmetic operation produces a value that exceeds the maximum size of the data type used to store it, causing the value to wrap around or produce unexpected behaviour that attackers can exploit to gain elevated access.
CVE-2025-48595: The Zero-Day Under Fire
The vulnerability enables a local attacker with basic application permissions to escalate privileges and execute code at a higher permission level, potentially gaining full control of device functions. Crucially, exploitation requires no user interaction beyond running a malicious application on the device.
This marks the fourth Android zero-day patched since December 2025. Google noted that CVE-2025-48595 “may be under limited, targeted exploitation” — language the company uses when targeted attacks have been confirmed, but widespread in-the-wild exploitation has not yet been observed. This pattern is frequently associated with commercial spyware vendors or nation-state threat actors targeting high-profile individuals such as journalists, activists, or government officials.
Scope of the June 2026 Update
The June 2026 Android security update is substantial, fixing 124 vulnerabilities across two patch levels. Patch level 2026-06-01 addresses core Android OS components, including the Framework and System, with 18 vulnerabilities rated critical. **Patch level 2026-06-05** includes all fixes from 2026-06-01 plus additional patches for kernel subcomponents and third-party chipset drivers from manufacturers such as Qualcomm and MediaTek.
Affected Android versions include Android 14, 15, 16, and Android 16 QPR2. Pixel devices receive updates immediately through Google’s update delivery system, while devices from Samsung, OnePlus, Xiaomi, and other manufacturers will receive updates on a rolling timeline that may extend weeks or months after Google’s release.
CVSS and Technical Details
- CVE: CVE-2025-48595
- CWE: CWE-190 (Integer Overflow or Wraparound)
- Severity: High
- KEV Status: Not confirmed, added to CISA KEV catalogue as of June 3, 2026
- Affected Versions: Android 14, Android 15, Android 16, Android 16 QPR2
Why It Matters
The pattern of four Android zero-days in under six months reflects an active market for Android exploits among sophisticated threat actors. While Google’s characterisation of “limited, targeted exploitation” suggests this is not yet a mass exploitation scenario, targeted use by spyware operators or nation-state actors presents significant risk for high-value individuals and organisations.
Mobile devices increasingly serve as primary work devices, accessing corporate email, VPN, and sensitive business applications. A privilege escalation vulnerability on a corporate-enrolled Android device could allow an attacker to capture credentials, intercept MFA codes, access enterprise apps, and exfiltrate sensitive data — all from a device users typically trust implicitly.
The trajectory of Android zero-days in 2026 suggests that mobile endpoints are receiving increased attention from sophisticated threat actors,” said a threat intelligence analyst. “Organisations with mobile device management (MDM) programmes should treat Android OS updates with the same urgency as Windows Patch Tuesday releases.”
Mitigation Steps
- Apply the June 2026 Android security update immediately on all managed Android devices via your MDM or enterprise mobility management (EMM) platform.
- For Pixel devices, install the update via Settings > System > Software update.
- Contact device manufacturers for updated timelines if using non-Pixel Android devices.
- Implement mobile application management (MAM) policies that block installation of applications from unverified sources.
- Enable Google Play Protect scanning on all managed Android devices.
- Restrict sensitive corporate applications to devices meeting a minimum patch level of 2026-06-05 through MDM policy enforcement.
- Monitor for unusual privilege escalation events in your mobile device management console.
Google’s June 2026 Android update demonstrates that mobile patch management is now an essential component of enterprise security hygiene, not an optional maintenance activity.
