Skip to content
hacker_posts

Android Framework zero-day CVE-2025-48595 added to CISA KEV

Google's June 2026 Android Security Bulletin fixes 124 flaws, including a Framework integer overflow under limited, targeted exploitation. CISA wants federal agencies patched by 5 June.

Published 4 min read
cvegoogleandroidkevzero-day

Google's June 2026 Android Security Bulletin addresses 124 vulnerabilities, one of which — CVE-2025-48595, a CVSS 8.4 integer overflow in the Android Framework — is described by Google as being "under limited, targeted exploitation." CISA added the flaw to its Known Exploited Vulnerabilities catalog on 2 June 2026 with a federal remediation deadline of 5 June 2026 under BOD 22-01. Secondary coverage at BleepingComputer, Help Net Security and The Hacker News corroborates the disclosure timeline.

What the bug is

CVE-2025-48595 is an integer overflow (CWE-190) in the Android Framework — the system-services layer that apps interact with. Google's bulletin places the bug in multiple Framework locations and rates it high severity, CVSS 8.4. The attack vector is local, the attack complexity is low, and no user interaction is required: a malicious app already on the device escalates from regular app sandbox to a higher privilege level. Successful exploitation, per the Framework's class of bugs, can lead to full device control by chaining the escalated privilege into further system actions.

Google's phrasing — "limited, targeted exploitation" — is the language reserved for cases where commercial spyware vendors or nation-state operators are using the bug against specific high-value targets rather than mass-deploying it.

Affected versions

Per the bulletin, CVE-2025-48595 is present in:

  • Android 14
  • Android 15
  • Android 16
  • Android 16 QPR2

The Framework component fix ships in the 2026-06-01 patch level. Google's bulletin separates fixes into two patch strings:

  • 2026-06-01 — core Android OS components (Framework, System).
  • 2026-06-05 — everything in 2026-06-01 plus kernel, partner, and closed-source-component fixes (Qualcomm, MediaTek, Imagination, Arm, and other SoC vendor patches).

A device is fully covered only when both patch strings advance to 2026-06-05 or later. Devices stuck on 2026-05-01 are unpatched.

Exploitation status

  • Google — bulletin language: "limited, targeted exploitation." No IOCs published in the bulletin.
  • CISA KEV — added 2 June 2026, action due 5 June 2026 (catalog entry). Federal civilian agencies must patch or pull affected devices.
  • No actor named by Google or CISA in the public disclosure. Treat attribution as open.

A second Linux kernel flaw, CVE-2023-0386 (an OverlayFS privilege escalation originally fixed upstream in 2023), was added to KEV the same day. The two adds are unrelated chains but landed in the same CISA bulletin, which is why some secondary outlets bundle them.

Action checklist

  1. Patch managed Android fleets to security patch level 2026-06-05 (or later) immediately. 2026-06-01 closes the Framework CVE but leaves SoC-side bugs from the June drop open. If your MDM exposes the patch level, set the compliance threshold to 2026-06-05.
  2. Sweep the fleet for stuck OEMs. Devices from vendors that lag the Google patch (cheap secondary handsets, dormant test devices, kiosk hardware) are the ones that will sit at 2026-05-01 indefinitely. Pull a fresh inventory of ro.build.version.security_patch across managed devices.
  3. Prioritise high-risk users. Limited, targeted exploitation means journalists, activists, executives, and government users matter more than the median user. If you maintain a high-risk-user list (CISO staff, board members, comms, finance leadership), patch them first.
  4. Restrict sideloading and disable unknown-sources installs where policy permits. The CVE is local; the exploit needs an app on the device. The narrower the install surface, the narrower the attack surface.
  5. For BYOD that you cannot force-update, communicate the bulletin and the 5 June KEV deadline to users with an explicit "install all available updates now" notice. A nudge is not enough — confirm via your MDM that compliance moved.

Context

Android Framework zero-days under limited targeted exploitation are a recurring pattern: the May 2024 Pixel privilege-escalation CVE-2024-32896, the November 2024 CVE-2024-43093, and the March 2025 CVE-2024-50302 all carried the same "limited, targeted exploitation" language and were later tied to commercial spyware tooling. The June 2026 add fits the same shape — a high-severity privilege escalation in a code path the Framework reaches from any installed app, with no UI surface for the user to refuse.

The June 2026 bulletin is also one of the heavier monthly drops of the year: 124 fixes, 18 rated critical. Treating the Android patch cycle as routine background work is the failure mode this CVE punishes. The KEV deadline of 5 June 2026 lands inside the patch's first week — federal agencies have effectively three working days from disclosure to enforce.

Related stories