Back to Blog
Cybersecurity June 4, 2026 5 min read

Google Patches Actively Exploited Android Zero-Day in June 2026 Update — Update Now

Google's June 2026 Android update patches 124 flaws including CVE-2025-48595, an integer overflow in the Framework component already under active exploitation. CISA added it to the KEV catalog with a June 5 patch deadline.

Google Patches Actively Exploited Android Zero-Day in June 2026 Update — Update Now

Google’s June 2026 Android security update patches 124 vulnerabilities, including one already being actively exploited. CVE-2025-48595 is an integer overflow in the Android Framework component that enables local privilege escalation on Android 14, 15, 16, and 16 QPR2 — with no user interaction required.

CVSS score: 8.4 (High). An attacker with local code execution can escalate privileges silently. No tap, no click, no social engineering needed once code is running on the device.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalog on June 2 and required all Federal Civilian Executive Branch (FCEB) agencies to patch by June 5 — a three-day window that signals how seriously CISA is treating the active exploitation reports.

Beyond the zero-day, this update closes four critical vulnerabilities in the Android System component — CVE-2026-0043, CVE-2026-0097, CVE-2026-21352, and CVE-2026-21353 — all of which can enable local privilege escalation without user input. Three Qualcomm closed-source components also received critical patches: CVE-2025-47392, CVE-2026-25276, and CVE-2026-25277.

Google shipped two patch levels: 2026-06-01 and 2026-06-05. The June 5 level includes everything in the June 1 set plus kernel and third-party chipset fixes from Imagination Technologies, MediaTek, Qualcomm, and Unisoc. A device reporting the June 5 patch level is fully covered. The June 1 level closes the Framework and System components only.

What to do: Go to Settings → System → Software update and install whatever your OEM has pushed. Pixel devices received the patch directly from Google on June 2. Samsung, OnePlus, and other Android OEMs follow their own schedules — typically two to six weeks behind Google’s release date.

For security teams managing Android device fleets: this vulnerability’s inclusion on the CISA KEV catalog and its active exploitation status make it a treat-as-urgent patch. Waiting for a scheduled maintenance window is not advisable here.

Sources

android cve-2025-48595 zero-day google security-patch