Google patches 124 Android flaws including actively exploited CVE-2025-48595; CISA orders federal fix by June 5
Google's June 2026 Android security bulletin patched 124 vulnerabilities, including CVE-2025-48595, an Android Framework integer-overflow bug (CVSS 8.4) that Google says is under 'limited, targeted exploitation' in the w.
At a glance
- June 2026 Android security bulletin patched 124 vulnerabilities
- CVE-2025-48595: Android Framework integer-overflow, CVSS 8.4, 'limited, targeted exploitation', code execution + LPE with no user interaction
- Two patch levels shipped: 2026-06-01 and 2026-06-05, covering Android 14, 15, 16 and 16 QPR2
- CISA added CVE-2025-48595 to KEV on June 2, 2026; FCEB remediation deadline June 5, 2026 under Binding Operational Directive 22-01
- BleepingComputer (Bill Toulas) reported the flaw is not flagged as exploited by ransomware crews
VERDICT — CONFIRMED
Google's June 2026 Android security bulletin patched 124 vulnerabilities, including CVE-2025-48595, an Android Framework integer-overflow bug (CVSS 8.4) that Google says is under 'limited, targeted exploitation' in the wild. The flaw enables code execution and local privilege escalation with no user interaction, the hallmark signature of commercial spyware vendor or nation-state targeting, though Google declined to name threat actors or victims. Two patch levels shipped, 2026-06-01 and 2026-06-05, covering Android 14, 15, 16 and 16 QPR2.
CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2026, giving Federal Civilian Executive Branch agencies a remediation deadline of June 5, 2026 under Binding Operational Directive 22-01. BleepingComputer's Bill Toulas reported the same day that neither this bug nor a companion KEV addition is flagged as exploited by ransomware crews, consistent with espionage-grade abuse. The bulletin is significant because integer-overflow-to-LPE chains without user interaction are exactly what mercenary spyware (e.g., commercial implant vendors) weaponize for one-click or zero-click device compromise; the three-day federal patch window underscores CISA's read that exploitation is real and ongoing rather than theoretical.
For enterprises and OEMs, the lag between Google's source patch and downstream carrier/device rollout leaves a meaningful exposure window on unpatched Android 14-16 handsets.
Key facts on file
- June 2026 Android security bulletin patched 124 vulnerabilities
- CVE-2025-48595: Android Framework integer-overflow, CVSS 8.4, 'limited, targeted exploitation', code execution + LPE with no user interaction
- Two patch levels shipped: 2026-06-01 and 2026-06-05, covering Android 14, 15, 16 and 16 QPR2
- CISA added CVE-2025-48595 to KEV on June 2, 2026; FCEB remediation deadline June 5, 2026 under Binding Operational Directive 22-01
- BleepingComputer (Bill Toulas) reported the flaw is not flagged as exploited by ransomware crews
- Google declined to name threat actors or victims

