3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Google has released the June 2026 Android security patches to address 124 vulnerabilities, including one zero-day flaw exploited in targeted attacks.
Local attackers can exploit the actively abused high-severity Android Framework vulnerability (tracked as CVE-2025-48595) to gain code execution and escalate privileges on devices running Android 14 or later.
"There are indications that CVE-2025-48595 may be under limited, targeted exploitation," the company said on Monday in its March 2025 Android Security Bulletin.
"Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible."
While Google has yet to share technical details about the flaw or provide more information about the ongoing attacks targeting it, similar flaws have been exploited in the past by commercial spyware and by nation-state operations targeting high-profile or high-interest individuals.
With this month's Android security updates, Google has fixed 18 critical vulnerabilities across System, Framework, and Qualcomm closed-source components that attackers can abuse to trigger denial-of-service conditions and elevate privileges on unpatched Android devices.
"The most severe of these issues is a critical security vulnerability in the Framework component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation," Google added.
On Monday, Google issued two sets of patches: the 2026-06-01 and 2026-06-05 security patch levels, with the latter bundling all fixes from the first batch, along with patches for closed-source third-party and kernel subcomponents that may not apply to all Android devices.
While Google Pixel devices will receive these security updates immediately, other vendors will often take longer to test and tweak them for specific hardware configurations.
A Google spokesperson was not immediately available for comment when BleepingComputer reached out for more details regarding the CVE-2025-48595 attacks and their targets.
Google released patches for two other high-severity zero-days (CVE-2025-48633 and CVE-2025-48572) in December, and for another zero-day flaw in a Qualcomm display component (CVE-2026-21385) in March, all of which were tagged as "under limited, targeted exploitation."
Last month, Google also overhauled its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for some Android exploits while scaling back payouts for flaws that are easier to find using artificial intelligence (AI).
Hope you enjoyed this news post. Feedback welcome.
Posted Wednesday 3 June 2026 at 7:49 am AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.