Google’s June 2026 Android bulletin closes 124 flaws, but only one is being exploited right now: CVE-2025-48595, an integer overflow in the Android Framework that hands a local attacker elevated code execution with no user interaction and no special permissions. Google rates it high severity (CVSS 8.4) and says it is under “limited, targeted exploitation” — the phrasing the company reserves for confirmed in-the-wild attacks it isn’t ready to attribute. CISA agreed fast: the CVE landed in the Known Exploited Vulnerabilities catalog on June 2, with a federal remediation deadline of June 5.

If you run a mobile fleet — and if you have a BYOD policy, an MDM, or engineers carrying phones with VPN profiles and SSO tokens, you do — this is your endpoint problem, not someone else’s.

What the bug is

Per the CVE record, the flaw is “a possible way to achieve code execution due to an integer overflow” present “in multiple locations” inside the Framework component. An integer overflow happens when an arithmetic operation produces a value too large for its type and silently wraps around; downstream code then trusts a length or index that no longer reflects reality, and an attacker gets a memory-corruption primitive to steer.

The properties that matter for defenders:

  • Local escalation of privilege. The attacker already needs code running on the device — typically a malicious or trojanized app, or a second-stage payload.
  • No additional execution privileges needed. A low-privilege app with nothing more than basic permissions can reach the vulnerable path.
  • No user interaction. Nothing to tap, no dialog to dismiss. Once hostile code is on the device, escalation is silent.

That combination is precisely the back half of a spyware exploit chain: a delivery bug (a malicious app, a browser RCE, a messaging zero-click) gets you onto the device, and a Framework LPE like this one breaks out of the app sandbox to take system-level control of the OS. Google didn’t name the operators, but it noted that “similar flaws have been weaponized by commercial spyware vendors to target high-profile individuals.” Read that as journalists, executives, dissidents, and anyone else worth a six-figure exploit.

Who’s affected

Android 14, 15, 16, and 16 QPR2 — most of the active install base. The fix ships in the two standard patch levels:

  • 2026-06-01 — Framework and System fixes, including CVE-2025-48595.
  • 2026-06-05 — everything above, plus kernel and third-party chipset patches from Imagination Technologies, MediaTek, Qualcomm, and Unisoc.

Pixel devices get both promptly. Everyone else is at the mercy of their OEM’s patch cadence, which is the perennial Android problem: the bug is fixed in AOSP today and may not reach a given Samsung, Motorola, or budget-OEM handset for weeks.

What to do now

Push the 2026-06-05 patch level to every managed device; the -01 level closes this specific CVE, but you want the chipset fixes too. In your MDM, set a compliance rule that flags or quarantines any device below the June 2026 security patch level and blocks it from corporate resources until it updates. For the long tail of OEMs that haven’t shipped yet, treat those handsets as untrusted endpoints — no SSO, no VPN, no privileged app access — until they’re current.

Because the entry point is a hostile app, tighten app provenance while you wait: Play Protect on, sideloading off, and review what’s installed on devices that hold production credentials. An LPE is only useful to an attacker who can already run code on the phone — don’t hand them the first step.

References: Android Security Bulletin — June 2026, CVE-2025-48595 (CVE.org), CISA Known Exploited Vulnerabilities Catalog.