Google has released the June 2026 Android security patches to address 124 vulnerabilities, including one zero-day flaw exploited in targeted attacks.
Local attackers can exploit the actively abused high-severity Android Framework vulnerability (tracked as CVE-2025-48595) to gain code execution and escalate privileges on devices running Android 14 or later.
“There are indications that CVE-2025-48595 may be under limited, targeted exploitation,” the company said on Monday in its March 2025 Android Security Bulletin.
“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.”
While Google has yet to share technical details about the flaw or provide more information about the ongoing attacks targeting it, similar flaws have been exploited in the past by commercial spyware and by nation-state operations targeting high-profile or high-interest individuals.
With this month’s Android security updates, Google has fixed 18 critical vulnerabilities across System, Framework, and Qualcomm closed-source components that attackers can abuse to trigger denial-of-service conditions and elevate privileges on unpatched Android devices.
“The most severe of these issues is a critical security vulnerability in the Framework component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation,” Google added.
On Monday, Google issued two sets of patches: the 2026-06-01 and 2026-06-05 security patch levels, with the latter bundling all fixes from the first batch, along with patches for closed-source third-party and kernel subcomponents that may not apply to all Android devices.
While Google Pixel devices will receive these security updates immediately, other vendors will often take longer to test and tweak them for specific hardware configurations.
A Google spokesperson was not immediately available for comment when BleepingComputer reached out for more details regarding the CVE-2025-48595 attacks and their targets.
Google released patches for two other high-severity zero-days (CVE-2025-48633 and CVE-2025-48572) in December, and for another zero-day flaw in a Qualcomm display component (CVE-2026-21385) in March, all of which were tagged as “under limited, targeted exploitation.”
Last month, Google also overhauled its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for some Android exploits while scaling back payouts for flaws that are easier to find using artificial intelligence (AI).
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
