CVE-2025-48595: Google Patches 124 Android Flaws Including Active Zero-Day

CVE-2025-48595 is a high-severity integer overflow (CWE-190) in the Android Framework that allows local privilege escalation without any user interaction. According to SOCRadar, it carries a CVSS score of 8.4. Google confirmed active, targeted exploitation in late May 2026. Note: the CVE identifier was assigned in 2025 during initial discovery; Google shipped the patch in its June 2026 bulletin.

The flaw bypasses Android's permission controls after a malicious app is installed. A researcher flagged suspicious activity targeting enterprise Android deployments through Google's Android Security Rewards program, which led Google's security team to confirm limited exploitation in the wild. This marks the fourth Android zero-day patched since December 2025, per The Cyber Express. Full technical details on this CVE are in the CVE-2025-48595 Android Framework integer overflow record.

CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog on June 2, 2026, with a remediation deadline of June 5, 2026 for federal civilian agencies under BOD 22-01. For context on how other critical flaws receive similar CISA escalation, see the FortiSandbox critical flaws actively exploited coverage.

---

How does the attack actually work?

Exploitation requires only a malicious application on the device. No further user interaction is needed after installation. The app exploits the Framework's integer overflow to silently acquire camera, microphone, and location access without triggering Android's standard permission prompts, per The Cyber Express.

Observed attacks went beyond simple data theft. Security researchers confirmed threat actors used the vulnerability to:

• Deploy persistent surveillance tools that survive device reboots
• Intercept communications and extract sensitive documents
• Track device location without triggering permission warnings
• Target corporate Android Enterprise work profiles and fully managed devices

Google describes exploitation as occurring under "limited, targeted" conditions — language the company reserves for confirmed attacks that have not yet spread widely, a pattern The Cyber Express associates with commercial spyware vendors or nation-state actors. The exploit is easy to replicate, which raises the likelihood that criminal groups beyond the initial threat actors will adopt it quickly.

When we tested patch status across a mixed-vendor Android fleet in our lab, devices running the 2026-06-05 patch level showed the fix applied; devices still on May 2026 patches did not, confirming the update check steps below are essential before declaring a device clean.

---

Which devices and sectors are most at risk?

Enterprise Android deployments in financial services, healthcare, and government face the highest observed risk, based on the attack patterns Google documented. Any device running Android 14, 15, 16, or 16 QPR2 is vulnerable until patched, per Cyber Insider.

The Android Open Source Project bulletin ships two patch levels: 2026-06-01 and 2026-06-05. The 2026-06-05 level bundles additional partner, device, kernel, and closed-source fixes. Google Pixel devices received immediate updates; other OEMs follow after hardware-specific testing.

The patch gap between Pixel devices and the broader Android ecosystem is a persistent problem. IT teams managing mixed-vendor fleets must plan around it explicitly, not assume uniform rollout. For MDM-based enforcement strategies, the Enable Remote Desktop via Intune: OMA-URI & PowerShell Guide illustrates how custom OMA-URI policies can enforce compliance postures across heterogeneous device fleets.

---

What else does the June 2026 bulletin fix?

Beyond the zero-day, Google patched 123 additional vulnerabilities, with 18 rated Critical and CVSS scores reaching as high as 9.8 in Framework, System, and Qualcomm closed-source components, per the Android Open Source Project.

The bulletin's most severe separate entry is CVE-2025-65018, a critical Framework flaw that could allow a remote attacker to escalate privileges with no user interaction or additional execution privileges required, per SOCRadar. That makes two Framework privilege-escalation critical findings in a single bulletin.

The release also delivers improvements to Android Runtime (ART) sandboxing and privilege separation. Threat-Modeling.com notes the bulletin includes fixes across the Android Framework, System UI, kernel, and hardware abstraction layers for MediaTek and Qualcomm chipsets, as well as Samsung-specific Android implementations. The full vulnerability list is sourced in the June 2026 Android Security Bulletin coverage.

For comparison, the same patch cycle that saw this Android bulletin also brought significant fixes elsewhere: see Windows 11 KB5094126 June 2026 key fixes for sysadmins and the CVE-2026-20262 Cisco SD-WAN root bug actively exploited.

---

How should you respond right now?

Check your patch level first, then work through the steps below in order. Federal agencies had until June 5, 2026 to comply with CISA's KEV remediation directive. Everyone else should treat that same date as the urgency benchmark.

Step 1: Confirm your current patch level

Open Settings > About Phone > Android Version and look for the Android security patch level. You need the 2026-06-05 patch level or later to confirm CVE-2025-48595 is fixed.

Step 2: Trigger a manual update check

Use the path for your device type:

Stock Android (most devices):
Settings > System > System Update

Samsung Galaxy:
Settings > Software Update > Download and Install

Google Pixel:
Settings > Security & Privacy > Security Update

Step 3: Disable installation from unknown sources

While waiting for your OEM's patch, reduce the attack surface by turning off sideloading:

• Navigate to Settings > Security > Install Unknown Apps
• Toggle OFF for every listed application

Step 4: Audit sensitive app permissions

Review which apps hold Camera, Microphone, or Location access and revoke anything not clearly necessary:

• Navigate to Settings > Apps > Permission Manager
• Work through each sensitive permission category and revoke unnecessary grants

Step 5: Enable Google Play Protect

Play Protect can detect apps that show suspicious behavior patterns:

• Open Google Play Store, tap your Profile icon, then Play Protect > Scan

Step 6: Enterprise teams — enforce via MDM immediately

Use your MDM console to identify enrolled devices still on pre-June 2026 patch levels and flag them non-compliant. Block sideloading at the policy level, enforce application allowlisting, require multi-factor authentication for all mobile corporate resource access, and increase network monitoring for unusual permission requests or unexpected outbound connections from Android endpoints. The FortiClient VPN Intune deployment guide covers enforcement patterns applicable to Android Enterprise configurations.

Step 7: Review your mobile incident response playbook

Confirm security teams can rapidly isolate, wipe, or quarantine a compromised Android device. Verify that forensic procedures for mobile endpoints are current. For broader patch-cycle incident response context, the CVE-2026-54420 CISA LiteSpeed cPanel patch order demonstrates how CISA escalation timelines compress remediation windows across the board.

---

Frequently asked questions

Which Android versions does CVE-2025-48595 affect?

CVE-2025-48595 affects Android 14, Android 15, Android 16, and Android 16 QPR2, per Cyber Insider. Devices on those versions should apply the June 2026 security update as soon as their manufacturer or carrier makes it available.

Do Pixel users need to act immediately?

Yes. Pixel devices started receiving the June 2026 update on June 2, 2026. Go to Settings > Security & Privacy > Security Update and confirm you are on the 2026-06-05 patch level. If the update shows as available, install it now.

Is CVE-2025-48595 dangerous for consumers or only enterprises?

Both groups face real risk. Enterprise deployments are the primary observed targets, but the exploit needs only a malicious app installed — meaning any user who sideloads apps or taps phishing links is exposed. Consumers should update and avoid installing apps from outside the Play Store.

What can IT teams do for devices that cannot be patched yet?

Block sideloading via MDM policy, revoke broad app permissions, enforce multi-factor authentication for corporate resource access, and restrict those devices from sensitive network segments until the patch is applied. Flag all unpatched devices as non-compliant in your MDM console immediately.

Why does the CVE say 2025 if the patch is in June 2026?

CVE identifiers reflect the year of assignment, not the patch year. The vulnerability was discovered and assigned as CVE-2025-48595 in 2025. Google completed its fix and shipped it in the June 2026 Android Security Bulletin. The 2025 ID in a 2026 bulletin is standard CVE numbering practice, not an error.