Pierluigi Paganini
June 03, 2026
Google has released its June 2026 Android security updates, fixing 124 vulnerabilities across the mobile operating system. One flaw, tracked as CVE-2025-48595 (CVSS score of 8.4) stands out from the rest because it is already being exploited in attacks in the wild.
The vulnerability affects devices running Android 14, 15, 16, and Android 16 QPR2. According to Google and the Android Security Bulletin, the issue is caused by an integer overflow that can lead to code execution and privilege escalation on a vulnerable device. An attacker could exploit the flaw to gain elevated access to the system without requiring additional privileges.
Google has confirmed that there are indications the flaw is being exploited in what it describes as “limited, targeted exploitation.”
“There are indications that CVE-2025-48595 may be under limited, targeted exploitation.” reads the advisory.
The company has not disclosed who is behind the attacks, how many victims may have been affected, or how the vulnerability is being delivered.
That lack of detail is not unusual. When Google uses the phrase “limited, targeted exploitation,” it typically refers to attacks against a small number of carefully selected targets rather than mass exploitation campaigns. In previous Android cases, vulnerabilities carrying the same wording were later linked to commercial spyware vendors or state-sponsored operations targeting journalists, political figures, dissidents, executives, and government officials.
At this stage, there is no public evidence connecting CVE-2025-48595 to a specific threat actor. However, several indicators point toward a sophisticated attack chain rather than ordinary cybercrime. The flaw is local, requires no user interaction, and resides inside the Android Framework, one of the most sensitive layers of the operating system. Researchers believe the most likely scenario involves a malicious application that abuses the vulnerability after installation to gain elevated privileges and potentially full control of the device.
This is exactly the type of capability that attracts commercial surveillance vendors. A spyware operator doesn’t need to infect millions of devices. Compromising a handful of high-value targets is often enough. The economics are very different from ransomware. One successful infection can be worth far more than a large-scale criminal campaign.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on June 2, 2026, added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by June 5, 2026.
Beyond CVE-2025-48595, Google patched a number of additional vulnerabilities in the Android System component, including flaws that could also result in privilege escalation. The company released two patch levels, 2026-06-01 and 2026-06-05. Devices receiving the latter will obtain all fixes included in the first release, plus updates for the Linux kernel and third-party chipset components from Qualcomm, MediaTek, Unisoc, and Imagination Technologies.
The biggest challenge remains Android’s fragmented update model. Pixel devices receive patches immediately, while many other manufacturers require additional testing and customization before distributing updates. As a result, some users may remain exposed for weeks or months after a vulnerability becomes public. Attackers know this. In many cases, the race begins not when a vulnerability is discovered, but when the patch is released.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
