Google fixes 124 Android flaws in June, one actively exploited

Google released its June 2026 Android security updates addressing 124 vulnerabilities, including a high‑severity Framework privilege‑escalation bug tracked as CVE‑2025‑48595. The company reported indications that the Framework flaw may be subject to limited, targeted exploitation.

CVE‑2025‑48595 carries a CVSS score of 8.4. The CVE entry notes an integer overflow in multiple locations that could allow code execution and local escalation of privilege without user interaction. That means an attacker who can already run code on a device might gain higher privileges without additional prompts or clicks.

Google published two patch sets for June, dated 2026-06-01 and 2026-06-05. The June 5 release includes fixes from the earlier set plus patches for kernel defects and vulnerabilities in third‑party chipset components supplied by Imagination Technologies, MediaTek, Qualcomm and Unisoc. Device manufacturers and carriers typically deliver those vendor and kernel fixes to phones in staged rollouts.

The update also addresses multiple issues in the System component; the most severe of those could enable local privilege escalation without extra execution privileges. Overall, the month’s fixes cover flaws across Framework, System, kernel and vendor chipset code.

Security practitioners have previously observed that integer‑overflow and similar memory‑corruption flaws have been used by commercial spyware tools in highly targeted operations against specific individuals. Google did not provide attribution, affected targets or the scale of any exploitation in its bulletin.

Users are advised to check for the June security patch from their handset maker or carrier and install updates when they become available. Installing the vendor-supplied June patches will remedy the Framework vulnerability and other issues addressed in the monthly package.