Android Zero-Day CVE-2025-48595 Exploited in Targeted Attacks, Google Warns

Google has patched an Android zero-day vulnerability that may have been exploited in limited, targeted attacks. The flaw, tracked as CVE-2025-48595, affects the Android Framework and could let attackers escalate privileges on vulnerable devices.

The issue appears in Google’s June 2026 Android Security Bulletin, which was published on June 1 and updated on June 3. Google said there are indications that CVE-2025-48595 may be under limited, targeted exploitation.

The vulnerability affects Android 14, Android 15, Android 16, and Android 16 QPR2. Google lists it as a high-severity elevation-of-privilege bug in the Framework component, with fixes included in the June 2026 Android security updates.

What CVE-2025-48595 does

CVE-2025-48595 is an Android Framework privilege escalation vulnerability. The Framework is a core Android layer that handles many system services and APIs used by apps and the operating system.

Help Net Security described the bug as an integer overflow vulnerability. That means the flaw could let attackers manipulate how the system handles certain values and then use that condition to gain higher privileges.

Google did not publish technical exploitation details. That is common for Android zero-days because public details can help other attackers build working exploits before users and device makers finish patching.

Detail	Information
CVE ID	CVE-2025-48595
Component	Android Framework
Bug type	Elevation of privilege
Severity	High
Affected versions	Android 14, 15, 16, and 16 QPR2
Exploitation status	Limited, targeted exploitation indicated
Fixed in	June 2026 Android security patch levels

Google says exploitation appears limited and targeted

Google’s wording suggests this was not a broad malware campaign against all Android users. Instead, the company says there are indications of limited, targeted exploitation, which usually means a smaller number of selected targets.

The U.S. Cybersecurity and Infrastructure Security Agency also added the flaw to its Known Exploited Vulnerabilities catalog. CISA lists exploited flaws because they pose higher real-world risk than vulnerabilities known only from lab research.

Google has not named the threat actors, victims, countries, or delivery method. In real-world mobile attacks, privilege escalation bugs often appear as one part of a larger exploit chain, paired with another weakness that provides the first foothold.

Why this Android flaw matters

Privilege escalation bugs matter because Android normally isolates apps from sensitive system resources. A successful exploit can help attackers break past those boundaries after they already gain some level of execution on a device.

That does not mean CVE-2025-48595 automatically gives every attacker complete device control. However, it can increase the impact of a separate exploit, malicious app, or spyware-style attack chain.

The risk is higher for people who may face targeted mobile surveillance, including government officials, journalists, activists, executives, researchers, and people working in sensitive industries.

• Attackers may use the flaw to raise privileges after initial access.
• No extra user interaction is needed once the vulnerable path is reached.
• Android 14 through Android 16 QPR2 are listed as affected.
• Patch availability depends on device maker and carrier rollout schedules.
• Users should install the June 2026 Android security update as soon as it appears.

June 2026 Android update includes two patch levels

The June Android update uses two patch levels. The 2026-06-01 patch level addresses Android platform issues, including CVE-2025-48595. The 2026-06-05 patch level includes those fixes plus additional kernel and third-party component patches.

The Android Security Bulletin says security patch levels of 2026-06-05 or later address all listed issues. Device makers that use only the 2026-06-01 level must include all fixes assigned to that first patch level.

Android updates do not reach every device at the same time. Pixel devices usually receive updates quickly, while Samsung, OnePlus, Xiaomi, Motorola, and carrier-controlled devices may follow their own schedules.

Patch level	What it covers	User meaning
2026-06-01	Core Android platform vulnerabilities, including Framework flaws	Addresses CVE-2025-48595 and related platform issues
2026-06-05	All 2026-06-01 fixes plus kernel and third-party component fixes	Best target patch level for complete June bulletin coverage

How to check whether your Android phone is patched

Android users should check the security patch level in the Settings app. Google’s Android update help page explains that users can find the Android version, Android security update, Google Play system update, and build number under the device information screen.

The exact menu path can vary by device maker. On most phones, open Settings, go to About phone or About device, then check Android version and Android security update.

If your Android security update shows June 1, 2026, or later, the phone should include the platform fixes for this bulletin. If it shows June 5, 2026, or later, it should include the full June Android bulletin coverage.

1. Open the Settings app.
2. Tap About phone or About device.
3. Tap Android version or Software information.
4. Check the Android security update date.
5. Install any available system update.
6. Restart the device if the update requires it.

Google Play Protect can reduce app-based risk

Google Play Protect also plays a role in reducing Android malware risk. Google says Google Play Protect scans apps on Android devices and helps prevent harmful apps from being installed.

This protection matters because many Android attacks start with app delivery, phishing, or sideloading. Play Protect cannot replace operating system patches, but it adds another layer for detecting potentially harmful apps.

Users who install apps from outside Google Play face more risk. That does not mean every sideloaded app is malicious, but attackers often prefer third-party download channels because they can avoid some store-level review and reputation checks.

What organizations should do now

Organizations that manage Android devices should prioritize the June update, especially for executives, administrators, engineers, public-sector workers, journalists, legal teams, and other high-risk users.

Security teams should review mobile device management dashboards for devices that remain below the June 2026 patch level. They should also check whether employees can sideload apps and whether Play Protect remains enabled.

The CISA KEV catalog addition should push enterprise teams to treat CVE-2025-48595 as an urgent patching priority. Exploited vulnerabilities deserve faster handling than routine monthly fixes.

• Require June 2026 Android security updates on managed devices.
• Prioritize high-risk users and devices that access sensitive company data.
• Restrict sideloading where business needs do not require it.
• Keep Google Play Protect enabled on devices with Google Mobile Services.
• Investigate devices that show unusual app installs, crashes, or privilege-related behavior.
• Use mobile threat defense tools for executive and regulated environments.

What Android users should avoid until patched

Users who have not yet received the June patch should avoid unnecessary risk. Do not install APK files from unknown sites, unsolicited messages, social media links, file-sharing services, or email attachments.

Users should also review app permissions and remove apps they no longer recognize or use. Google’s Play Protect feature can help flag dangerous apps, but timely Android security updates remain the most important fix for CVE-2025-48595.

If an update is available, install it before doing sensitive work on the device. Google’s Android update instructions also recommend following any update notification when it appears.

FAQ