Google has released the June 2026 Android security updates, addressing dozens of vulnerabilities across the mobile operating system, including a high-severity zero-day flaw that is under active, targeted exploitation.
The update also fixes multiple critical privilege-escalation and denial-of-service vulnerabilities affecting core Android components.
The actively exploited vulnerability is tracked as CVE-2025-48595, an elevation-of-privilege (EoP) flaw in the Android Framework component. Google stated that there are “indications” the bug is being exploited in limited, targeted attacks, though the company did not disclose who discovered the issue, how it is being exploited, or whether it was used by commercial spyware vendors, cybercriminal groups, or state-sponsored actors.
The vulnerability affects devices running Android 14, Android 15, Android 16, and Android 16 QPR2. As an elevation-of-privilege flaw, successful exploitation could allow an attacker to gain broader access to device resources than normally permitted, potentially serving as a stepping stone within a larger attack chain.
Beyond the zero-day, Google's bulletin addresses a substantial number of vulnerabilities across the Framework and System components. The most severe issue fixed this month is CVE-2025-65018, a critical Framework vulnerability that could enable remote elevation of privilege without requiring user interaction. Google noted that exploitation could occur without any additional execution privileges, making it one of the most serious flaws patched in the release.
The System component received fixes for several critical vulnerabilities, including:
- CVE-2026-0043
- CVE-2026-0097
- CVE-2026-21352
- CVE-2026-21353
These bugs could allow local privilege escalation without requiring additional execution privileges or user input.
The June update also includes fixes for a wide range of high-severity vulnerabilities that affect information disclosure, denial-of-service, remote code execution, and privilege escalation. Google additionally patched vulnerabilities in kernel components and incorporated security fixes from chipset vendors including Qualcomm, MediaTek, Imagination Technologies, and Unisoc.
Among the vendor-specific fixes are three critical vulnerabilities in Qualcomm closed-source components, tracked as CVE-2025-47392, CVE-2026-25276, and CVE-2026-25277.
The June 2026 fixes are available through security patch levels 2026-06-01 and 2026-06-05, with the latter incorporating all fixes from both patch levels. Pixel devices are expected to receive the updates first, while availability for Samsung, Motorola, Xiaomi, OnePlus, and other Android vendors will depend on each manufacturer's release schedule.
Users are advised to install the latest security updates as soon as they become available, avoid sideloading applications from untrusted sources, keep Google Play Protect enabled, and ensure their devices are running the most recent Android version supported by the manufacturer.
Leave a Reply