Google patches Android zero-day under active attack
Key insights
- CVE-2025-48595 requires no user interaction to exploit, enabling local code execution and privilege escalation on Android 14 and later.
- Google's June 2026 update patches 124 Android vulnerabilities, with 18 rated critical across System, Framework, and Qualcomm components.
- This is the fourth Android zero-day patched since December 2025, all confirmed under limited targeted exploitation by Google.
Why this matters
CVE-2025-48595 requiring no user interaction means enterprise Android fleets on unpatched OEM hardware are silently exposed to local privilege escalation with no behavioral tripwire to detect it. The recurring split between Pixel's immediate updates and OEM vendors' customization lag creates a documented exploitation window attackers are already using, confirmed by Google's own advisory language. Four zero-days in six months, each tagged under limited targeted exploitation, points to a sustained and sophisticated actor systematically probing Android's attack surface rather than opportunistic mass exploitation.
Summary
Google's June 2026 Android patch addresses 124 flaws, including CVE-2025-48595, an actively exploited Framework zero-day on Android 14 and later.
The flaw lets local attackers execute code and escalate privileges with no user interaction needed. Google shipped two patch levels, 2026-06-01 and 2026-06-05, with the second bundle adding fixes for closed-source third-party and kernel components.
Essentially: (Google, Android OEMs) face a split rollout where Pixel devices update immediately and other vendors take additional time for testing.
- 18 critical flaws span System, Framework, and Qualcomm components.
- Prior zero-days CVE-2025-48633, CVE-2025-48572, and CVE-2026-21385 were patched in December and March with the same 'limited, targeted exploitation' designation.
Four Android zero-days since December signals sustained targeted pressure on the platform.
Potential risks and opportunities
Risks
- Enterprise Android deployments on non-Pixel hardware remain exposed to local code execution via CVE-2025-48595 during OEM testing and customization, a window that historically spans weeks.
- The 2026-06-05 bundle covers closed-source third-party and kernel subcomponents that each OEM must individually integrate; vendors shipping heavily customized firmware may delay or omit these fixes entirely.
- The accelerating cadence of exploited Android zero-days raises the probability that a future flaw escapes 'limited targeted' status and reaches mass exploitation before the OEM patch cycle completes.
Opportunities
- Mobile threat defense vendors (Lookout, Zimperium, Microsoft Defender for Endpoint on Android) gain a concrete sales argument for runtime exploit detection to cover the OEM patch lag window.
- Android Enterprise program managers can leverage the documented pattern of exploited zero-days to negotiate tighter patch SLA commitments from OEM partners in new procurement contracts.
- Security research firms with Android internals expertise can publish CVE-2025-48595 detection rules for SOC teams now, before OEM patches arrive, positioning themselves ahead in the enterprise mobile security market.
What we don't know yet
- Attribution behind CVE-2025-48595 exploitation: the article notes 'limited, targeted exploitation' but names no threat group or linked campaign.
- Which non-Pixel OEM vendors have committed to patch timelines for the June 2026 update and how long the rollout gap typically runs in practice.
- Whether CVE-2025-48633, CVE-2025-48572, and CVE-2026-21385 share exploitation infrastructure with CVE-2025-48595, which would indicate a single persistent actor across all four incidents.
Originally reported by bleepingcomputer.com
Read the original article →Original headline: Google Patches Actively Exploited Android Zero-Day CVE-2025-48595 in June Security Update Covering 124 Flaws