Google has confirmed active exploitation of a zero-day vulnerability in the Android Framework, tracked as CVE-2025-48595, that allows local privilege escalation on Android 14 and later devices. The vulnerability carries a CVSS score of 8.4 and has been added to the CISA Known Exploited Vulnerabilities catalog with a federal agency remediation deadline of June 5, 2026. Google’s June 2026 Android Security Bulletin patches 124 vulnerabilities in total, including 18 rated Critical.

What Is the Vulnerability?

CVE-2025-48595 is an integer overflow vulnerability in the Android Framework — the core system layer that runs on every Android device. The vulnerability exists in multiple locations within the Framework and allows an attacker who has already achieved code execution on a device (such as through a malicious application) to escalate their privileges to gain higher-level system access without requiring additional execution privileges or any user interaction.

Google describes the vulnerability as enabling “local escalation of privilege with no additional execution privileges needed.” In practical terms, this means an attacker can combine this vulnerability with an initial access vector — a malicious app, a drive-by browser exploit, or a pre-installed compromised application — to break out of Android’s sandbox and gain system-level or root-level access to the device. The “no user interaction needed” characteristic is particularly dangerous: once the initial code execution is achieved, the privilege escalation happens automatically without any prompt, notification, or action required from the user.

Google’s June 2026 Android Security Bulletin addresses a total of 124 vulnerabilities, with 18 rated Critical across the System, Framework, and Qualcomm closed-source components. This is one of the larger monthly Android bulletin releases, reflecting the broad attack surface of the Android platform.

• CVSS v3.1 Score: 8.4 (High)
• Attack Vector: Local (AV:L)
• Attack Complexity: Low (AC:L)
• Privileges Required: Low (PR:L)
• User Interaction: None (UI:N)
• CISA KEV: Added June 2, 2026 — federal agency deadline June 5, 2026

Which Versions Are Affected?

The vulnerability affects Android 14 and later across all device manufacturers:

• Android 14 — all patch levels prior to June 1, 2026
• Android 15 — all patch levels prior to June 1, 2026
• Android 16 — all patch levels prior to June 1, 2026

Because this is a Framework-level vulnerability, it affects every Android device running these versions regardless of manufacturer — Google Pixel, Samsung Galaxy, OnePlus, Motorola, Xiaomi, and all other Android OEMs are affected. Enterprise devices managed through Android Enterprise (work profile), Samsung Knox, or other EMM/MDM platforms are equally vulnerable. The vast majority of actively supported Android devices in both consumer and enterprise environments run Android 14 or later.

Is It Being Exploited in the Wild?

Yes — confirmed targeted exploitation. Google states that “there are indications that CVE-2025-48595 may be under limited, targeted exploitation.” This is the standard phrasing Google uses when commercial spyware vendors or nation-state actors are actively exploiting a vulnerability against specific high-value targets — the same language used for previous Android zero-days exploited by the Heliconia, Predator, and Hermit spyware campaigns. While Google has not released full technical details about the in-the-wild attacks, the pattern — limited and targeted — strongly suggests the exploitation is focused on high-profile individuals, journalists, dissidents, government officials, or corporate executives rather than mass-scale consumer targeting. CISA’s addition to the KEV catalog on June 2 with a tight June 5 deadline confirms federal concern about the active threat. The vulnerability has been exploited in the wild prior to the June 2026 patch release, meeting the definition of a true zero-day.

What Is the Fix?

The fix is included in the June 2026 Android security updates, available at patch levels 2026-06-01 and 2026-06-05. Google has released the patches to the Android Open Source Project (AOSP) and to Android device manufacturers. The official Android Security Bulletin is available at:

https://source.android.com/docs/security/bulletin/2026/2026-06-01

Update availability depends on the device manufacturer and carrier:

• Google Pixel devices: Updates are typically available immediately or within days of the bulletin publication. Check Settings > System > System Update.
• Samsung Galaxy devices: Updates typically roll out within 1–4 weeks depending on model, region, and carrier.
• Other Android OEMs: Timing varies significantly — from days to months depending on the manufacturer’s update commitment and carrier certification processes.
• Enterprise-managed devices: Push the update via your MDM/EMM platform as soon as the device manufacturer makes it available.

After updating, verify the patch level: Settings > About Phone > Android Security Patch Level should read June 1, 2026 or later.

Recommendations

Apply the June 2026 Android security update as soon as your device manufacturer makes it available. This is a confirmed actively exploited zero-day with CISA KEV designation. While the exploitation is currently limited and targeted, the addition to KEV with a June 5 deadline signals that broader exploitation is expected. For enterprise environments, push the update through your MDM/EMM platform immediately when released by the device OEM.

Implement conditional access for unpatched devices. If your device manufacturer has not yet released the June update, consider restricting access to sensitive enterprise resources — email, documents, internal applications — from Android devices that do not have the June 2026 patch level. This is standard mobile threat defence practice and can be implemented through Microsoft Intune, Workspace ONE, or other conditional access platforms.

For high-risk users — apply additional protections. Users who are likely targets of commercial spyware or nation-state surveillance (executives, legal counsel, journalists, human rights workers, government officials) should consider upgrading to a Google Pixel device if they have not already, as Pixel devices receive Android security updates on day one of the bulletin release. For these users, the gap between bulletin publication and OEM update delivery on non-Pixel devices represents an extended window of exposure.

Audit your Android fleet. Verify the Android security patch level across your managed device fleet. Identify devices that are more than one patch cycle behind and investigate why updates are not being applied. A significant gap between available and installed patch levels indicates a breakdown in mobile device management processes that extends beyond this single CVE.

Monitor for follow-on exploitation. Once technical details of CVE-2025-48595 become public — as they typically do after the patch is widely distributed — expect broader exploitation attempts. The transition from “limited, targeted” to “widespread” exploitation of Android Framework vulnerabilities often occurs within weeks of patch release and technical disclosure.

References

• Android Security Bulletin — June 2026
• NVD: CVE-2025-48595
• CISA Known Exploited Vulnerabilities Catalog
• Vulnerability Intelligence Report — June 3, 2026

---

This advisory was first covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.