CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day

Google’s June 2026 Android Security Bulletin includes a fix for an Android Framework elevation of privilege zero-day tracked as CVE-2025-48595. Google noted the issue “may be under limited, targeted exploitation,” which raises the priority for teams managing Android fleets. The bulletin ships two patch levels, 2026-06-01 and 2026-06-05, with the latter bundling additional partner, device, kernel, and closed-source fixes.

This post breaks down what CVE-2025-48595 is, what is affected, what is known about exploitation, and what defenders should do next.

What Is CVE-2025-48595?

CVE-2025-48595 (CVSS 8.4) is a high-severity vulnerability in the Android Framework that can enable local elevation of privilege. The flaw is classified as an integer overflow (CWE-190) occurring across multiple locations in the Android Framework, which is the layer of APIs and system services that applications interact with directly. Successful exploitation can result in code execution at a higher privilege level, with no user interaction required and no additional execution privileges needed.

The key operational concern is that Google explicitly flagged it as potentially exploited in the wild.

Which Android Versions Are Affected?

CVE-2025-48595 affects Android 14, 15, 16, and 16-QPR2 (Quarterly Platform Release 2). Because this is a Framework issue, exposure tracks with OS version and OEM patch adoption rather than any individual application. In practice, two devices on the same Android version can sit at different risk levels depending on whether their manufacturer and carrier have shipped the June 2026 patch.

How Does Exploitation Likely Work?

Public technical details remain limited. What is confirmed is the vulnerability class and impact: an integer overflow in multiple code locations that can allow local privilege escalation without user interaction. The attack vector being local most likely means exploitation arrives through a malicious or trojanized application that a targeted user has been tricked into installing. Other plausible paths include using CVE-2025-48595 as a second stage after gaining initial code execution through a separate vulnerability, or abusing a privileged preinstalled component as a foothold.

This makes it important as a component in exploit chains. Elevation of privilege bugs typically serve as the step that converts basic application-level access into the deeper permissions needed for persistence, data theft, or surveillance.

Is It Being Exploited in the Wild?

Google has confirmed there are indications CVE-2025-48595 is under limited, targeted exploitation. No victim details, attribution, or technical exploit details have been made public. The company did not disclose who discovered the vulnerability or whether it has been used by commercial spyware operators, criminal groups, or state-sponsored actors.

CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2026, with a remediation due date of June 5, 2026 for federal civilian agencies under BOD 22-01.

What Else Does the June 2026 Android Security Bulletin Fix?

This is one of the more substantial monthly releases of the year, addressing 124 vulnerabilities in total across both patch levels, with 18 rated critical.

The Most Severe Issue: CVE-2025-65018 (Critical, Framework)

Separate from the actively exploited zero-day, the bulletin’s most severe entry is CVE-2025-65018, a critical Framework vulnerability that could allow a remote attacker to escalate privileges without any user interaction and without requiring additional execution privileges. This is the flaw Google references when it characterizes the month’s worst-case severity in its standard bulletin header language.

The Framework section as a whole contains around 30 CVEs, covering elevation of privilege, information disclosure, and denial-of-service scenarios. Another notable Framework entry is CVE-2025-64720, rated critical for a denial-of-service condition.

System Component

The System component received critical fixes for four vulnerabilities: CVE-2026-0043, CVE-2026-0097, CVE-2026-21352, and CVE-2026-21353. All four involve local privilege escalation without user interaction, and all affect Android versions 14 through 16.

Media Framework

The Media Framework carries exploitable vulnerabilities that could result in remote code execution when a device processes a specially crafted media file. This is a historically common attack vector, since media parsing can be triggered simply by opening a file or receiving content, without any further user action.

Kernel and Chipset Vendors (2026-06-05 Patch Level)

The 2026-06-05 patch level extends the baseline with fixes for kernel subcomponents and contributions from four hardware partners: Imagination Technologies (3 CVEs in PowerVR GPU components), MediaTek (11 CVEs across modem, geniezone, and preloader), Unisoc (16 modem CVEs), and Qualcomm. Among the Qualcomm entries, three vulnerabilities in closed-source components, CVE-2025-47392, CVE-2026-25276, and CVE-2026-25277, each carry a CVSS score of 9.8 and are rated critical for potential full system compromise. These affect hardware abstraction layers and require vendor-specific firmware updates rather than standard OS patches.

The breadth of this bulletin means that even organizations not in a high-risk threat model have strong reasons to prioritize the June update promptly.

What Is the Difference Between the 2026-06-01 and 2026-06-05 Patch Levels?

Google shipped two security patch levels for June 2026 Android Security Bulletin:

• The 2026-06-01 level is the baseline and addresses vulnerabilities across core Android OS components, including Framework and System issues such as CVE-2025-48595.
• The 2026-06-05 level is a superset that includes everything from 2026-06-01 plus additional fixes for kernel subcomponents and third-party chipset drivers. Critically, the Qualcomm and MediaTek vulnerabilities are only addressed at this level.

Supercharge Your Vulnerability Intelligence with SOCRadar

Stay ahead of threats like CVE-2025-48595 before they make headlines. SOCRadar’s Cyber Threat Intelligence module delivers real-time, actionable intelligence on emerging vulnerabilities, active exploits, and threat actor activity, so your team can prioritize and respond with confidence.

Combined with the Attack Surface Management (ASM) module, you get continuous visibility into your external-facing assets, helping you understand exactly where exposures like this one could hit your organization first.

What Should Defenders Do Now?

Prioritize deployment of the June 2026 patches. Target 2026-06-05 where possible. Treat 2026-06-01 as the minimum acceptable level for addressing the zero-day, and note that chipset-level fixes from Qualcomm and MediaTek require 2026-06-05.

Verify patch level across your Android fleet. Confirm devices report a June 2026 security patch level. Identify OEM or carrier populations that are behind schedule and flag them for exception management.

Align urgency to threat context. Between Google’s exploitation warning and CISA KEV inclusion, this should be treated as a high-priority mobile remediation item. That priority is especially acute for executives, journalists, activists, and others who represent plausible targets for sophisticated or state-sponsored actors.

Tighten app installation and provenance controls. Given that the most likely delivery path for CVE-2025-48595 is a malicious application, reducing sideloading exposure and enforcing managed app sources limits the attacker’s primary route. Keeping Play Protect active adds a layer of detection for harmful applications, even though it is not a fix for this specific vulnerability.

Account for exploit chaining in your threat model. Elevation of privilege bugs rarely operate in isolation. The critical Media Framework remote code execution vulnerabilities patched in this same bulletin represent exactly the type of initial foothold that a privilege escalation flaw like CVE-2025-48595 could be paired with. If your threat model includes targeted adversaries, the combination makes this update particularly urgent.