Google on Monday released patches for 124 security vulnerabilities affecting its Android operating system for the month of June 2026, including a high-severity flaw in a framework component that has come under active exploitation.
Tracked as CVE-2025-48595 (CVSS score: 8.4), the security flaw is described as a case of privilege escalation without requiring any user interaction. The vulnerability affects devices running Android versions 14, 15, 16, and 16 QPR2 (Quarterly Platform Release 2).
According to the description of the vulnerability on CVE.org, “In multiple locations, this is a possible way to gain code execution due to integer overflow.” “This allows for local elevation of privilege and does not require any additional execution privileges. The exploit does not require user interaction.”
Google has acknowledged that there are indications that CVE-2025-48595 may be subject to a “limited, targeted exploit.” As is usually the case, the tech giant did not make any specific disclosures about who could be behind the activity, the targets affected and what is the scale of such efforts.
That said, similar flaws have been weaponized by commercial spyware vendors to target high-profile individuals as part of highly targeted attacks.
Elsewhere, several vulnerabilities in system components have been fixed, the most serious of which could lead to local elevation of privilege and would not require additional execution privileges.
Google has released two sets of patches – 2026-06-01 and 2026-06-05 security patch levels – the latter containing all the fixes from the first set, as well as patches for kernel and third-party chipset components from Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
