Android Framework Integer Overflow Under Active Targeted Exploitation (CVE-2025-48595)
Google's June 2026 Android Security Bulletin patches an actively exploited integer overflow in the Android Framework that enables local privilege escalation without user interaction. 124 vulnerabilities total, one confirmed zero-day. CISA KEV deadline June 5.
Google's June 2026 Android Security Bulletin, published June 1, patches 124 vulnerabilities across the Android Framework, System, Kernel, and third-party chipset components. One of those vulnerabilities — CVE-2025-48595, a CVSS 8.4 integer overflow in the Android Framework — carries a confirmation of active exploitation. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 2, with a federal agency remediation deadline of June 5 — a three-day window that reflects CISA's trend toward compressing KEV deadlines in 2026, where the average has dropped to 14.4 days from 19.7 in 2025.
The vulnerability is classified CWE-190 — Integer Overflow — and exists in multiple locations within the Android Framework, the layer of APIs and system services that applications interact with directly. An integer overflow occurs when an arithmetic operation produces a value that exceeds the storage capacity of its data type, causing it to wrap around to an unexpected value. In this case, the overflow creates a code execution path at elevated privilege levels. The flaw requires no additional execution privileges at the point of entry and no user interaction during exploitation itself — once a malicious application is running on the device, the privilege escalation executes without any further action from the user. Attack vector is local, CVSS 8.4. Affected versions are Android 14, 15, 16, and 16 QPR2.
Google's bulletin language — "may be under limited, targeted exploitation" — is the standard phrasing the company uses when in-the-wild use is confirmed but broad opportunistic exploitation has not been observed. The local attack vector classification places the likely exploitation path through a malicious application that a targeted user has been induced to install, potentially as a second-stage component in a broader attack chain rather than a standalone initial access tool.
The June 2026 bulletin ships two patch levels: 2026-06-01 and 2026-06-05. The 2026-06-01 level covers Framework and System fixes including CVE-2025-48595. The 2026-06-05 level adds partner, device, kernel, and closed-source component fixes. Google distributes patches to device manufacturers; availability on any given device depends on when the OEM and carrier push the update. Pixel devices receive updates directly from Google and are typically first. Samsung, OnePlus, and other major OEMs follow on their own schedules. Budget and older devices may not receive the patch at all if the manufacturer has ended support for the affected Android version.
For enterprise Android fleet administrators, CVE-2025-48595 is a priority patch given the KEV listing. For consumer users, checking Settings → Security → Security update and applying any available June 2026 patch is the only available mitigation. No workaround exists for unpatched devices.