CISA Adds Exploited Android Framework Vulnerability to KEV Catalog as Google Ships June Security Fix
6 min. read 
Published on
CISA has added CVE-2025-48595, an Android Framework integer overflow vulnerability, to its Known Exploited Vulnerabilities catalog after evidence of real-world exploitation. The flaw can lead to code execution and local privilege escalation on affected Android devices.
Google fixed the issue in the Android Security Bulletin for June 2026, which was published on June 1 and updated on June 3. Google said there are indications that CVE-2025-48595 may be under limited, targeted exploitation.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The vulnerability affects Android 14, Android 15, Android 16, and Android 16 QPR2, according to the NVD entry for CVE-2025-48595. Users and enterprise administrators should check device patch levels and apply the June 2026 Android security update as soon as it becomes available from their device maker or carrier.
What CVE-2025-48595 Does
CVE-2025-48595 sits in the Android Framework, one of the core layers that handles system services and application interactions. The bug involves an integer overflow, a software error that happens when a value becomes too large for the memory space assigned to it.
In this case, the overflow can create a path to code execution. The official CVE description says the flaw can lead to local escalation of privilege with no additional execution privileges needed and no user interaction required.
That makes the vulnerability especially important for mobile security teams. A local privilege escalation bug can help an attacker move beyond a normal app sandbox and gain broader access to sensitive system resources when chained with another exploit.
Key Details At A Glance
| CVE ID | CVE-2025-48595 |
| Affected component | Android Framework |
| Weakness type | Integer overflow or wraparound, CWE-190 |
| Severity | High, CVSS 3.1 score of 8.4 from CISA-ADP data in NVD |
| Impact | Code execution and local privilege escalation |
| User interaction required | No |
| Known exploitation | Listed in CISA KEV after evidence of exploitation |
| Federal remediation date | June 5, 2026 |
CISA Sets a Fast Remediation Deadline
The CISA KEV catalog lists the vulnerability as Android Framework Integer Overflow Vulnerability. The agency added it on June 2, 2026, with a due date of June 5, 2026, for covered federal systems.
CISA’s required action tells agencies to apply vendor instructions, follow Binding Operational Directive 22-01 guidance for cloud services where applicable, or stop using the affected product if mitigations are not available. That deadline reflects the higher urgency CISA gives to bugs with evidence of exploitation.
Although the KEV directive applies directly to U.S. federal civilian executive branch agencies, private companies often use the catalog to prioritize fixes. For Android fleets, KEV listing means administrators should treat this update as more urgent than a routine monthly patch.
Google’s June 2026 Android Patch Levels
Google says security patch levels of 2026-06-05 or later address all issues covered in the June bulletin. Devices with the 2026-06-01 patch level address the vulnerabilities tied to that first patch level, while 2026-06-05 includes the broader set of fixes.
The June 2026 Android bulletin also notes that Google Play Protect helps reduce risk by monitoring for abuse and warning users about potentially harmful applications. However, Play Protect does not replace a system security patch.
Android updates can arrive at different times depending on the device maker, model, region, and carrier. Pixel devices usually receive Google patches quickly, while Samsung, Motorola, OnePlus, Xiaomi, and other Android vendors may publish their own update schedules.
Why Enterprise Android Devices Face Higher Risk
Android Framework bugs can create broad exposure because the vulnerable component belongs to the operating system, not a single app. That means removing a suspicious app alone may not fix the underlying risk if the system patch level remains outdated.
The CVE record says the flaw can lead to code execution through integer overflow in multiple locations. The listed CVSS vector also shows local attack vector, low attack complexity, no privileges required, and no user interaction required.
For organizations, the highest priority devices include phones used by executives, IT administrators, finance staff, journalists, legal teams, government personnel, and employees with access to internal systems. These devices often hold email, authentication apps, VPN profiles, chat history, and cloud management access.
What Users Should Do Now
- Open the Android system update page and install the latest available security update.
- Check the Android security patch level after updating.
- Look for a June 2026 security patch level, preferably 2026-06-05 or later.
- Keep Google Play Protect enabled.
- Avoid installing apps from unknown sources.
- Restart the device after applying the update.
- Replace or isolate devices that no longer receive Android security patches.
Managed device environments should also enforce mobile device management compliance rules. Devices that do not meet the required patch level should lose access to corporate email, VPN, cloud dashboards, and sensitive internal apps until they receive the update.
Security teams should also review logs from mobile threat defense tools, identity systems, and device management platforms for suspicious activity. Exploited mobile privilege escalation flaws often appear as part of a larger chain, so unusual app behavior, failed compliance checks, or unexpected device changes deserve attention.
Why This Android Flaw Should Not Be Ignored
CVE-2025-48595 does not mean every Android phone has already been attacked. It means Google and CISA have seen enough evidence to treat the bug as exploited or likely exploited in targeted activity.
The Known Exploited Vulnerabilities listing makes the patch a priority for organizations that manage Android devices at scale. Delayed patching gives attackers more time to combine the flaw with other weaknesses or delivery methods.
For most users, the best response is simple: install the latest Android security update, keep app protections turned on, and avoid sideloading software from untrusted sources. For enterprises, the next step is to verify patch status across every managed Android device and block outdated phones from sensitive resources.
FAQ
CVE-2025-48595 is an Android Framework integer overflow vulnerability that can lead to code execution and local privilege escalation. Google patched it in the June 2026 Android Security Bulletin.
Yes. CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog based on evidence of exploitation, and Google said the flaw may be under limited, targeted exploitation.
The NVD entry lists Android 14, Android 15, Android 16, and Android 16 QPR2 as affected configurations. Users should install the June 2026 Android security update when available for their device.
Google lists CVE-2025-48595 under the 2026-06-01 Android security patch level. Security patch levels of 2026-06-05 or later address all issues in the June 2026 bulletin.
Users should install the latest Android security update, keep Google Play Protect enabled, avoid sideloading apps from unknown sources, and replace devices that no longer receive security patches.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages