7 June 2026 Android Security

Android Zero-Day CVE-2025-48595 Is Under Active Attack — 124 Vulnerabilities Patched in Google's June 2026 Update

Google has confirmed that a zero-day vulnerability in the Android Framework — tracked as CVE-2025-48595 — is under active, targeted exploitation. The flaw is one of 124 vulnerabilities addressed in the June 2026 Android Security Bulletin, but it stands apart: it has been added to the US government's Known Exploited Vulnerabilities catalogue and carries a CVSS score of 8.4. Android 14, 15, and 16 are all affected. If your Android device has not yet received the June 2026 security patch, it is vulnerable.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Is CVE-2025-48595 and Why Has It Been Added to the US Government's Watchlist?

Google published its June 2026 Android Security Bulletin on 2 June 2026, disclosing 124 vulnerabilities across Android's software stack. The bulletin covers the Android Framework, System, Media Framework, kernel subcomponents, and chipset firmware from third-party manufacturers including Qualcomm and MediaTek. Most monthly bulletins are treated as routine maintenance. This one is different.

CVE-2025-48595 is an integer overflow vulnerability in the Android Framework — the core system layer that mediates between applications and the underlying operating system. An integer overflow occurs when an arithmetic operation produces a value that exceeds the capacity of the data type holding it, causing the value to wrap around unexpectedly. In security contexts, this class of bug can cause programs to miscalculate memory boundaries, enabling attackers to write data to unintended locations or bypass permission checks entirely.

The consequence in this instance is privilege escalation: an attacker who has already obtained code execution on an Android device can exploit CVE-2025-48595 to escalate their access from an ordinary application-level process to system-level privileges — without any action from the device owner. The CVSS score is 8.4 (High). The affected versions are Android 14, 15, 16, and 16-QPR2, covering the vast majority of modern Android devices currently in use globally and in Australia.

On 2 June 2026 — the same day Google published its Android Security Bulletin — the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalogue. A CISA KEV listing is not a theoretical flag: it means US government analysts have confirmed evidence of real-world exploitation in the wild. Federal civilian agencies were required to remediate the vulnerability by 5 June 2026 — a deadline that has already passed.

Google's own advisory states that CVE-2025-48595 "may be under limited, targeted exploitation." Security researchers recognise this as Google's standard phrasing for attacks attributed to commercial surveillance software vendors or nation-state actors targeting specific high-value individuals — journalists, lawyers, activists, executives, and government employees — rather than broad-spectrum criminal campaigns. The pattern is consistent with how zero-days in mobile operating systems have historically been used by operators of surveillance software. The technical details of the vulnerability are confirmed via Google's vendor advisory and CISA's independent verification.

A 124-Vulnerability Bulletin — What Else Was Fixed in Google's June 2026 Update?

While CVE-2025-48595 carries the bulletin's highest urgency due to its confirmed exploitation status, Google's June 2026 update addresses a significant number of other serious vulnerabilities across Android's software stack. Eighteen of the 124 patched flaws are rated Critical — meaning an attacker exploiting them could execute arbitrary code, access restricted data, or gain full control of a device.

The fixes are available through two security patch levels. Patch level 2026-06-01 covers Android's core operating system components: the Framework, System, and Media Framework layers. Patch level 2026-06-05 incorporates all of those fixes plus additional patches for kernel subcomponents and third-party chipset drivers from Qualcomm, MediaTek, Imagination Technologies, and Unisoc. A device displaying a patch level of 2026-06-05 or later has received the full set of June fixes.

Among the other notable vulnerabilities addressed in this bulletin:

CVE-2025-65018: A critical Android Framework vulnerability that could allow remote elevation of privilege without requiring any user interaction. Unlike CVE-2025-48595, which requires the attacker to first obtain code execution on the device, this flaw's exploitation path has a lower prerequisite bar — though it does not appear to be under active exploitation at the time of publication.
CVE-2026-0043, CVE-2026-0097, CVE-2026-21352, CVE-2026-21353: Four critical vulnerabilities in Android's System component, each capable of enabling local privilege escalation without requiring user input once a malicious application is running on the device.
CVE-2025-47392, CVE-2026-25276, CVE-2026-25277: Three critical vulnerabilities in Qualcomm closed-source components, addressed through vendor-provided chipset patches. Qualcomm chipsets power a significant share of Android devices sold in Australia, including devices from Samsung, Google Pixel, Sony, and OnePlus product lines.

The scale of this bulletin — 124 vulnerabilities, 18 critical — reflects the complexity of maintaining a mobile operating system across thousands of device variants from hundreds of manufacturers. Every Android user running version 14 or later falls within the scope of this bulletin. Manufacturers and carriers have varying update schedules, meaning many devices will not receive the patch immediately. For users on slower update cycles, understanding the secondary mitigations in the sections below becomes proportionally more important — a zero-day can be confirmed as exploited in the wild and a meaningful portion of vulnerable devices may still not receive a patch within any federally mandated timeframe, simply because their manufacturer has not yet released an update for that hardware model.

How CVE-2025-48595 Works: Android Framework Integer Overflow and Privilege Escalation

The Android Framework's privileged position

The Android Framework is the system-level layer that every application communicates with. When an app requests access to a file, checks a permission, queries a hardware sensor, or calls any OS function, it does so through Framework APIs. Because the Framework sits above the hardware but below the application layer, it runs with elevated privileges relative to ordinary apps. An exploitable bug in the Framework is therefore a potential escape route from an application's security sandbox into the operating system itself — bypassing the isolation Android relies on to keep applications from accessing each other's data and system resources.

What an integer overflow does in practice

Integer overflow bugs occur when a numeric computation produces a result larger than the maximum value a given data type can hold. When this happens, the value does not cap at its maximum — it wraps around to a small or zero value. In security contexts, these wraparound values are dangerous because code downstream of the overflow typically uses the incorrect value to make decisions about memory allocation or bounds checking. If an overflowed value is used to calculate how much memory to allocate, the allocated region may be far smaller than the data being written into it. This creates a memory corruption condition that sophisticated attackers can exploit to control program execution flow.

The two-stage attack chain

CVE-2025-48595 is classified as a local privilege escalation vulnerability — it requires the attacker to already have code execution running on the device before exploiting it. This is a meaningful constraint compared to a fully remote, zero-click exploit. However, it is less of a barrier than it might appear.

The most common initial access vectors in this attack class are:

Trojanised applications: Malicious apps distributed through unofficial app stores, side-loaded APK files, or applications that pass through automated Play Store review. Once installed, the app uses CVE-2025-48595 to break out of its restricted sandbox and acquire system-level access.
Exploit chains: Sophisticated operators — commercial surveillance software vendors and nation-state groups — commonly chain multiple vulnerabilities. A browser or messaging application flaw provides the initial code execution foothold; CVE-2025-48595 then provides the second stage, elevating privileges to allow persistent, deep-level access to the device, its storage, microphone, camera, and communications.

The "no user interaction required" attribute in the CVE description applies specifically to the privilege escalation stage. Once the initial foothold is established, the device can be fully compromised silently. The combination of a low-interaction delivery method and a no-interaction privilege escalation makes CVE-2025-48595 an efficient second-stage component for targeted mobile attack campaigns — which is why surveillance operators were using it before Google could publish a patch.

The CVSS score of 8.4 reflects a high-severity flaw. It is rated High rather than Critical because the local pre-condition (prior code execution) is factored into the base score. In practice, for a device already carrying a trojanised application, the pre-condition is already satisfied — and the effective impact is full device compromise.

How to Protect Your Android Device Right Now

The most effective action any Android user can take in response to CVE-2025-48595 is to apply the June 2026 security patch. Here is how to check your status and what to do at each step.

Step 1 — Check your current patch level. Go to Settings → About phone → Security update (the exact path varies by manufacturer, but it is typically under About phone or About device). Your current security patch level is shown as a date. If it reads anything earlier than June 2026, your device is vulnerable to CVE-2025-48595 and the other vulnerabilities in this bulletin.

Step 2 — Install updates without delay. Go to Settings → System → System update and check for available updates. If an update is listed, install it now rather than postponing. For the complete set of June fixes — including kernel and chipset components — your device needs to reach patch level 2026-06-05.

Step 3 — Restrict app installation sources. CVE-2025-48595 requires initial code execution on the device, and the most common delivery method is applications installed outside the Google Play Store. Check Settings → Security → Install unknown apps and ensure no unauthorised sources are enabled. If you have recently installed an unfamiliar application from an unofficial source or a direct APK download, remove it.

Step 4 — Review app permissions. Open Settings → Privacy → Permission manager and audit which apps have access to sensitive resources — location, camera, microphone, contacts, and storage. Any application requesting permissions that do not align with its stated function warrants scrutiny. Revoke permissions that appear unnecessary.

Step 5 — Add network-level protection. Patching the operating system addresses this specific vulnerability. It does not address the network environment in which a phone operates. Android devices are regularly used on public Wi-Fi networks — in cafes, airports, hotels, and shopping centres — where network traffic can be observed or manipulated by other parties on the same network. Encrypting all network traffic at the device level is a complementary control that remains valuable regardless of what vulnerabilities exist in the operating system at any given time. NordVPN's Android application encrypts device traffic end-to-end and includes Threat Protection Lite, which blocks connections to known malicious domains at the network level before any connection is established — providing an additional barrier against the malicious-application delivery mechanism that attackers use to obtain the initial code execution foothold that CVE-2025-48595 requires.

Step 6 — Prioritise devices used for work access. Australian organisations subject to the ASD's Essential Eight framework should treat mobile operating system patching with the same urgency as workstation patching. Mitigation Strategy 2 (patch operating systems) applies to mobile endpoints as well as desktops. Any device used to access corporate email, cloud applications, remote desktop systems, or data containing personal or business-sensitive information should be prioritised for the June 2026 update.

Mobile Devices Are Now Primary Targets — What This Pattern Means for Australian Users

CVE-2025-48595 is not an isolated incident. It fits a well-documented pattern: mobile operating system zero-days are discovered by commercial surveillance vendors or nation-state actors, used in targeted campaigns against high-value individuals, and disclosed publicly only when the vendor becomes aware and can issue a patch. By the time a bulletin is published, the vulnerability has often been in active use for weeks or months.

Google's Threat Analysis Group (TAG) and Project Zero have documented multiple similar cases. In each instance, the "limited, targeted exploitation" language was later associated with specific commercial surveillance operators. The June 2026 disclosure follows the same pattern. This does not mean every Android user faces a direct risk — the overwhelming majority do not. But it does mean the vulnerability has been weaponised by sophisticated actors, and once exploitation techniques are confirmed in the wild, that knowledge diffuses. After disclosure and patching, proof-of-concept code appears in research, the patch can be reverse-engineered to understand the flaw, and the capability spreads from nation-state operators to broader criminal ecosystems. Devices that remain unpatched during this window face escalating risk.

For Australian small businesses and individuals, the implications are practical rather than theoretical. Mobile phones used to access corporate email, business banking, or cloud applications are endpoints in the same security sense as laptops and desktops. An unpatched endpoint is a potential entry point. The ASD's guidance on bring-your-own-device (BYOD) arrangements explicitly recommends ensuring that devices accessing business data maintain current security patches — a requirement this bulletin makes freshly urgent.

The principle of defence-in-depth applies to mobile security as directly as it applies to any other environment. No single control eliminates all risk, and the most effective approach combines multiple complementary measures:

Apply the June 2026 patch as soon as it is available for your device. This is the single most effective action for CVE-2025-48595 specifically.
Restrict app installation to the Google Play Store to remove the most common initial access vector for the privilege escalation chain this vulnerability is part of.
Use a VPN on untrusted networks to encrypt traffic and limit what network-adjacent parties can observe or intercept, particularly on public Wi-Fi. NordVPN is available for Android, includes Threat Protection Lite for network-level domain blocking, and encrypts traffic using protocols suited to mobile connections.
Review app permissions periodically and remove access that applications do not need to function — especially for apps installed from sources outside the Play Store.
Enable automatic updates where your device supports them, so future bulletins are applied without requiring manual action.

The June 2026 bulletin patches 124 vulnerabilities. Applying it is the single highest-impact action an Android user can take this week. For users whose devices are managed by carriers or manufacturers with slow update cycles — a genuine constraint for many Australians, particularly those on budget handsets or older flagship models — the secondary controls above represent the next-best set of mitigations while waiting for the official patch to arrive.