Google Patches Android Zero-Day Under Active Exploitation

The Android Vulnerability

Google has released patches for 124 Android security vulnerabilities. This is a big deal. One of these vulnerabilities, CVE-2025-48595, has a CVSS score of 8.4 and is under active exploitation. It affects Android versions 14, 15, 16, and 16 QPR2. What’s notable about this vulnerability is that it allows for privilege escalation without requiring user interaction.

According to Google, there are indications that CVE-2025-48595 may be under limited, targeted exploitation. This highlights the ongoing trend of threat actors targeting mobile operating systems to gain access to sensitive enterprise and personal data. The fact that this vulnerability can be exploited without user interaction is particularly concerning. It means organizations need to prioritize mobile device security and rapidly deploy patches to prevent similar attacks.

Under the Hood

CVE-2025-48595 is an integer overflow that can lead to local escalation of privilege. In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. The vulnerability is serious because it can be exploited without user interaction or additional execution permissions.

The Affected Devices

The cybersecurity issue affects devices running Android versions 14, 15, 16, and 16 QPR2, specifically the Android Framework component. Users of these Android versions are impacted by this high-severity vulnerability. Successful exploitation of CVE-2025-48595 can enable attackers to gain code execution and access sensitive data. This incident is similar to recent zero-day exploits, such as those seen in the Chrome and Microsoft Exchange vulnerabilities, which also involved targeted attacks and privilege escalation.

Mitigation and Protection

To mitigate this vulnerability, users should update their Android devices to the latest version and apply the June 2026 security patches released by Google. Ensuring devices are running a version other than Android 14, 15, 16, or 16 QPR2 is crucial. Patching the Framework component to fix the CVE-2025-48595 vulnerability is essential to prevent exploitation. By taking these steps, organizations can reduce the risk of exploitation and protect sensitive data. The timeline of events leading to the patch release is straightforward: before June 2026, the CVE-2025-48595 vulnerability was discovered and exploited by attackers, with Google acknowledging limited, targeted exploitation before releasing patches on Monday, June 2026.

For Defenders

Organizations should prioritize mobile device security and rapidly deploy patches to prevent similar attacks. This includes updating Android devices to the latest version, applying the June 2026 security patches, and ensuring devices are running a version other than Android 14, 15, 16, or 16 QPR2. The exploitation of zero-day vulnerabilities can have significant consequences, including data breaches and unauthorized access to sensitive information.

Sources

1. https://cve.org
2. https://www.thehackernews.com
3. https://www.scmedia.com