Google Fixes Actively Exploited Android Zero-Day in June Patches

Google has released the June 2026 Android security patches to address 124 vulnerabilities, including one zero-day flaw exploited in targeted attacks.

Google is addressing an actively exploited zero-day in the Android Framework. Local attackers can exploit the high-severity vulnerability tracked as CVE-2025-48595 to gain code execution and escalate privileges on devices running Android 14 or later. There are indications that CVE-2025-48595 may be under limited, targeted exploitation, the company said on Monday in its March 2025 Android Security Bulletin.

While Google has yet to share technical details about the flaw or provide more information about the ongoing attacks targeting it, similar flaws have been exploited in the past by commercial spyware and by nation-state operations targeting high-profile or high-interest individuals. Google encourages all users to update to the latest version of Android where possible. Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform.

The patches resolve 18 critical vulnerabilities. These span System, Framework, and Qualcomm closed-source components that attackers can abuse to trigger denial-of-service conditions and elevate privileges on unpatched Android devices. The most severe of these issues is a critical security vulnerability in the Framework component that could lead to remote escalation of privilege with no additional execution privileges needed.

User interaction is not needed for exploitation.

Two security patch levels were issued on Monday. The updates are the 2026-06-01 and 2026-06-05 security patch levels, with the latter bundling all fixes from the first batch along with patches for closed-source third-party and kernel subcomponents that may not apply to all Android devices. Google Pixel devices will receive these security updates immediately.

Other vendors will often take longer to test and tweak them for specific hardware configurations.

Google has fixed multiple zero-days in recent months. The company released patches for two other high-severity zero-days tracked as CVE-2025-48633 and CVE-2025-48572 in December. It also fixed another zero-day flaw in a Qualcomm display component tracked as CVE-2026-21385 in March.

All of which were tagged as under limited, targeted exploitation.

Google overhauled its vulnerability rewards programs last month. The company updated its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for some Android exploits. It is scaling back payouts for flaws that are easier to find using artificial intelligence.