Google on Monday released patches for 124 security vulnerabilities in Android for June 2026, including one high-severity, actively exploited flaw tracked as CVE-2025-48595.
CVE-2025-48595: a no-interaction privilege escalation
CVE-2025-48595 carries a CVSS score of 8.4 and has been described as a case of privilege escalation that “does not require any user interaction.” According to the entry on CVE.org, “In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.” The flaw affects devices running Android 14, 15, 16, and 16 QPR2 (Quarterly Platform Release 2).
Patch roll‑out: 2026-06-01 and 2026-06-05 security patch levels
Google issued two sets of fixes for June: security patch levels dated 2026-06-01 and 2026-06-05. The 2026-06-05 set includes all fixes from the 2026-06-01 set, plus additional patches for kernel and third‑party chipset components. Devices and administrators should treat the 2026-06-05 release as the superset package when assessing whether a device has received the June fixes.
Broader fixes: System component, kernel, and third‑party chipsets
Beyond the Framework vulnerability tracked as CVE-2025-48595, Google patched a number of issues in the System component; the most severe of those System bugs could likewise “lead to local escalation of privilege with no additional execution privileges needed,” according to the advisory. The later June release added kernel patches and updates for third‑party chipset components provided by Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
Threat context: limited, targeted exploitation and commercial spyware
Google acknowledged there are indications that CVE-2025-48595 may be under “limited, targeted exploitation.” The company did not disclose specifics about the actors, targets, or the scale of the exploitation, a reticence the advisory notes is typical for Google. The advisory also points out that “similar flaws have been weaponized by commercial spyware vendors to target high-profile individuals as part of extremely targeted attacks,” linking the technical pattern of integer-overflow privilege escalations to real-world targeting scenarios.
What this means for security teams, end users, and chipset vendors
- Security teams and technologists: Prioritize identification of devices running Android 14, 15, 16, and 16 QPR2 and verify the 2026-06-05 security patch level has been applied where possible. The presence of a no-interaction privilege-escalation vector raises the urgency for patch verification and local access hardening.
- End users and the general public: Watch for and install official updates pushed to devices; the advisory flags a high-severity flaw in active, limited exploitation and emphasizes that user interaction is not required for successful attack chains.
- Device makers and chipset vendors (Imagination Technologies, MediaTek, Qualcomm, Unisoc): The June 5 roll‑up includes kernel and third‑party chipset patches from these vendors. Those vendors and handset manufacturers will be in the operational center of the roll‑out, because their updates determine whether specific models receive the kernel and chipset fixes included in the June release.
Google’s June 2026 bulletin delivers a broad set of fixes and highlights one particularly dangerous flaw that appears to be in targeted use. The company’s acknowledgement of “limited, targeted exploitation,” coupled with the advisory’s reminder that similar bugs have been weaponized by commercial spyware vendors, leaves several concrete questions unresolved in the public record: which devices have already been targeted in the wild, who stands behind the observed exploitation, and how rapidly vendors and carriers will distribute the 2026-06-05 updates to affected hardware. For now, the immediate, verifiable step is the technical one: ensure devices report a June security patch level and, where possible, confirm application of the 2026-06-05 roll‑up.
Original story: https://thehackernews.com/2026/06/google-june-2026-android-update-patches.html




