Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 04, 2026 · 5 min read

Android Zero Day CVE-2025-48595 Under Active Attack

Google shipped its June 2026 Android Security Bulletin on June 2 with 124 fixes, and a single line in the notes does most of the work: CVE-2025-48595 may be under limited, targeted exploitation. That phrasing is Google's house code for "we have seen this used against real people in the wild."

Android 14, 15, 16, and 16 QPR2 are all in scope. The patch landed in two security patch levels — 2026-06-01 and 2026-06-05. Every device that has not picked up at least the 2026-06-01 level is still vulnerable, and the rollout cadence outside Google's own Pixel phones is, as always, the long tail.

Close up of an Android phone showing a system update screen on a dark wooden desk

Key Takeaways

  • CVE-2025-48595 is an elevation of privilege flaw in the Android Framework component, disclosed and patched in the June 2026 Android Security Bulletin published June 2, 2026.
  • Google confirmed indications of limited, targeted exploitation — the language it reserves for confirmed in the wild attacks, typically tied to commercial spyware or state aligned operators.
  • Affected versions: Android 14, Android 15, Android 16, and Android 16 QPR2. Both the 2026-06-01 and 2026-06-05 security patch levels contain the fix.
  • The June bulletin patches 124 vulnerabilities in total, including CVE-2025-65018, a separate critical Framework bug that allows remote privilege escalation without user interaction.
  • Non-Pixel Android devices typically receive the monthly bulletin weeks to months later — meaning the public CVE window is open before most phones can install the fix.

What Is CVE-2025-48595?

CVE-2025-48595 is a local elevation of privilege bug in the Android Framework — the layer of OS services that mediates between apps and the kernel. An attacker who can get any code running on the device, even from a sandboxed app, can use the flaw to escape that sandbox and acquire system level privileges. From there, the rest of the device is downstream.

Google did not publish the specific technical pattern. It rarely does for zero days under active exploitation, because the bulletin is shipped before the slowest OEM has integrated the fix. What it did publish is the phrase "limited, targeted exploitation," and in Google's six year history of using that phrase, it has correlated with commercial spyware deployments — Pegasus, Predator, Graphite — against journalists, lawyers, and activists.

How Does a Local Privilege Bug Get Used as a Zero Day?

A pure elevation of privilege flaw does not, on its own, give an attacker access to your phone. They need a way in first. In a real spyware chain, CVE-2025-48595 is usually the second or third link: a separate browser, messaging, or media bug runs attacker code in a low privilege context, and CVE-2025-48595 is what breaks out of that context to reach the system.

The June bulletin also patched CVE-2025-65018, marked critical, with the much sharper note that it permits remote elevation of privilege without user interaction. That is the front door bug. The combination of a remote no interaction bug and a local privilege escalation in the same month is exactly the shape of a full chain — which is why CISA federal agencies and enterprise mobile fleets need to ship the June patch as a priority, not a courtesy.

Who Should Patch First?

If you are a journalist, lawyer, dissident, or someone whose threat model includes a nation state, treat this as a same day patch. The "limited, targeted exploitation" wording from Google has, in past bulletins, been the public surface of campaigns that were already running for weeks. Enabling Lockdown Mode on iOS has a direct analog in Android's Advanced Protection Program — if you have not enrolled, this is the bulletin to do it.

For everyone else, the calculus is simpler. Open Settings, go to System, About phone, Android version, and confirm your security patch level is 2026-06-01 or later. If the bulletin has not yet reached your device, check again every week — and avoid sideloading apps until it does.

Why Does This Matter for Your Email?

System level access on an Android device means everything: the Gmail app's token cache, every Authenticator app's seed, every saved password in Chrome. A successful chain that ends in CVE-2025-48595 hands the attacker not just the device, but the recovery account behind every other login the user has. For more on how a single compromised device feeds the rest of an attacker's toolkit, see our coverage of the Russian Signal account hijack campaign against journalists and Google's ongoing zero-day work documented by Project Zero.

The June 2026 bulletin is on the Android Open Source Project page. The question is not whether the patch exists — it does — but whether the device in your pocket has installed it. Until that line reads 2026-06-01 or later, the door is still open.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.