
Overview
Google has released the June 2026 Android security patches to address 124 vulnerabilities, including one zero-day flaw exploited in targeted attacks. The bulletin spans Framework, System, Kernel, and multiple chipset vendor components across two patch levels — making it one of the more substantial monthly drops of 2026.
The Active Zero-Day: CVE-2025-48595
CVE-2025-48595 is an integer overflow vulnerability in the Android Framework — the core API and system services layer that all apps interact with directly. The flaw allows attackers to escalate privileges on a vulnerable device and potentially gain complete access to the device and data on it. Successful exploitation does not hinge on user interaction, and the attack vector is local, which most likely means the vulnerability is being exploited via a malicious app that targeted users have been tricked into installing.
The vulnerability arises from integer overflow conditions in multiple locations within the Android OS. The CVSS 3.1 base score is 8.4, reflecting high impact on confidentiality, integrity, and availability. Affected versions span Android 14, 15, 16, and 16-QPR2.
As an elevation-of-privilege flaw, successful exploitation could allow an attacker to gain broader access to device resources than normally permitted, potentially serving as a stepping stone within a larger attack chain.
Why “Local Vector” Does Not Mean Low Risk
A local attack vector does not equate to low severity. It means the attacker requires code running on-device first — typically delivered via a trojanised app, a sideloaded APK, or chained after an initial browser or download exploit. In commercial spyware kill chains — NSO Group Pegasus, Paragon Graphite, Intellexa Predator — a remote delivery stage drops the payload, after which a local EoP zero-day like this escalates privileges and escapes the sandbox. The “limited, targeted” exploitation language from Google is the canonical fingerprint of exactly that attack pattern.
Google did not disclose who discovered the issue, how it is being exploited, or whether it was used by commercial spyware vendors, cybercriminal groups, or state-sponsored actors.
Patch Architecture — Two Levels, One Complete Baseline
Google issued two sets of patches: the 2026-06-01 and 2026-06-05 security patch levels, with the latter bundling all fixes from the first batch along with patches for closed-source third-party and kernel subcomponents that may not apply to all Android devices. While Google Pixel devices receive these security updates immediately, other vendors will often take longer to test and tweak them for specific hardware configurations.
The operational implication is direct: patch level 2026-06-01 alone is incomplete. Only 2026-06-05 represents the full security baseline — particularly relevant for organisations running mixed OEM fleets where chipset-level patches are as critical as OS-level ones.
Full Bulletin Scope
The most severe vulnerability in the Framework section could lead to remote escalation of privilege with no additional execution privileges needed. That is a distinct and higher-severity class than CVE-2025-48595 itself — meaning the bulletin contains remote-vector critical flaws that, while not actively exploited yet, represent meaningful weaponisation potential.
Among the vendor-specific fixes are three critical vulnerabilities in Qualcomm closed-source components, tracked as CVE-2025-47392, CVE-2026-25276, and CVE-2026-25277. The June 2026 fixes also include a wide range of high-severity vulnerabilities affecting information disclosure, denial-of-service, remote code execution, and privilege escalation across Framework and System components.
Qualcomm closed-source fixes carry no AOSP change list and no public code diff — they are opaque by design and cannot be independently verified by security teams or researchers.
2026 Android Zero-Day Tracker
Google released patches for two other high-severity zero-days — CVE-2025-48633 and CVE-2025-48572 — in December, and for a zero-day in a Qualcomm display component (CVE-2026-21385) in March, all tagged as “under limited, targeted exploitation.” CVE-2025-48595 is the fourth Android zero-day confirmed exploited in 2026, continuing an accelerating cadence that tracks closely with increased commercial spyware deployment globally.
Android VRP Overhaul
Last month, Google overhauled its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for some Android exploits while scaling back payouts for flaws that are easier to find using artificial intelligence. BThe restructuring signals Google’s acknowledgment that AI-assisted fuzzing is lowering the barrier to vulnerability discovery — and that the premium now sits on hard-to-automate, high-complexity exploit chains of exactly the kind that CVE-2025-48595 represents.
OEM Fragmentation — The Persistent Structural Gap
Pixel devices are expected to receive the updates first, while availability for Samsung, Motorola, Xiaomi, OnePlus, and other Android vendors will depend on each manufacturer’s release schedule.
With CVE-2025-48595 confirmed under active exploitation, the window between Google’s patch publication and actual OTA delivery on enterprise-managed non-Pixel devices can span weeks. Devices past end-of-software-support receive nothing at all. This fragmentation gap is the structural weakness of the Android security model that no individual bulletin resolves — and it is precisely the gap that commercial spyware operators exploit operationally.
Threat Actor Profile
The “limited, targeted exploitation” framing combined with the local EoP vector and Framework layer location fits a narrow but high-consequence threat profile: commercial spyware operators and nation-state APTs targeting journalists, diplomats, executives, activists, and government officials. Ransomware operators do not invest in Android Framework zero-days — the economics do not support it. The victim population mirrors all prior Android zero-day exploitation patterns observed from 2023 through 2025.
Remediation
- Apply patch level 2026-06-05 across all managed Android device fleets — the 06-01 level alone is incomplete
- Query MDM/UEM platforms for devices not yet at the June 2026 patch level and treat them as high-priority remediation targets
- Enforce policy-level restrictions on sideloading from unknown sources across all managed devices — the most probable initial delivery mechanism for this exploit class
- Ensure Google Play Protect is active across the fleet; it provides behavioural detection for sandbox escape attempt patterns
- Issue urgent advisory to high-risk personnel — executives, legal, IR, and communications staff — on managed Android devices pending OTA arrival from their OEM
- Pixel fleet: update immediately, no OEM testing delay applies
- Google encourages all users to update to the latest version of Android where possible



