Google’s June 2026 Android security update addresses 124 vulnerabilities — including an actively exploited zero-day tracked as CVE-2025-48595 — that can allow local attackers to gain code execution and escalate privileges on devices running Android 14 or later.
CVE-2025-48595: an actively exploited Android Framework zero-day
Google identified CVE-2025-48595 as a high-severity flaw in the Android Framework that a local attacker can use to execute code and escalate privileges. "There are indications that CVE-2025-48595 may be under limited, targeted exploitation," the company said on Monday in its March 2025 Android Security Bulletin. Google did not publish technical details or describe the targets of the ongoing attacks in the bulletin.
June 2026 patches: two patch levels and the rollout model
On Monday Google issued two patch sets for June 2026: the 2026-06-01 and 2026-06-05 security patch levels. Google said the 2026-06-05 bundle includes the fixes from the first batch plus additional patches for closed-source third-party and kernel subcomponents that may not apply to every Android device. According to the bulletin, Google Pixel devices will receive these updates immediately; other vendors "will often take longer to test and tweak them for specific hardware configurations." A Google spokesperson was not immediately available for comment when BleepingComputer reached out for more details about CVE-2025-48595 attacks and their targets.
Critical fixes across System, Framework, and Qualcomm components
The June updates include 18 critical vulnerabilities spanning System, Framework, and Qualcomm closed-source components. Google said these flaws can be abused to trigger denial-of-service conditions and to elevate privileges on unpatched devices. "The most severe of these issues is a critical security vulnerability in the Framework component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation," Google added. The bulletin also noted that "Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible."
Context from prior patches and bounty changes
Google has recently labeled multiple flaws as being under "limited, targeted exploitation." In December it released patches for two other high-severity zero-days, CVE-2025-48633 and CVE-2025-48572, and in March it patched a zero-day in a Qualcomm display component, CVE-2026-21385 — all described as under limited, targeted exploitation. Separately, last month Google overhauled its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for some Android exploits while reducing payouts for flaws that are easier to find using artificial intelligence.
What this means for Google Pixel devices, other vendors, and end users
- Google Pixel devices: Pixels will receive the June updates immediately, according to Google, meaning owners should see fixes for CVE-2025-48595 and the other addressed issues as soon as the patches are applied.
- Other device vendors: Vendors that build on Android will need time to test and adapt the June patch sets for specific hardware and closed-source subcomponents. The 2026-06-05 bundle includes additional third-party and kernel fixes that may not be relevant to all manufacturers.
- End users: Because Google says exploitation is being observed in "limited, targeted" attacks, users running Android 14 or later who are able to update should install the June patches promptly; Google also encouraged updating to the latest Android version where possible, noting platform enhancements make exploitation more difficult.
The June bulletin consolidates a wide set of fixes — from a locally exploitable Framework zero-day to multiple critical issues in closed-source components — while reiterating that limited, targeted exploitation has been observed for several recent flaws. With immediate availability for Pixel devices and staggered rollouts for other vendors, the practical protection each user receives will depend on their device and when vendors deliver vendor-specific updates. Read Google’s bulletin and the original reporting for full details.
Original story: Google fixes one actively exploited Android zero-day, 124 flaws — BleepingComputer




