Google’s June 2026 Android security bulletin patched a high‑severity zero‑day that the company says was already being used in "limited, targeted exploitation." The update — distributed as security patch level 2026-06-05 — addresses an elevation‑of‑privilege bug in the Android Framework tracked as CVE-2025-48595 and ships alongside fixes for more than a hundred other vulnerabilities.
What was fixed
According to Google’s bulletin, CVE-2025-48595 is an integer‑overflow flaw in the Android Framework that can let an unauthenticated local user run arbitrary code and escalate privileges to gain full control of a device. Importantly, Google says "user interaction is not needed for exploitation," which raises the severity: an attacker can trigger the flaw without the device owner tapping anything.
The June package is big — roughly 124 issues in total across the platform — and it bundles the actively exploited Framework zero‑day with a range of other patches. Google has previously flagged other serious flaws (for example, a Qualcomm graphics driver issue disclosed earlier in the year), underscoring that platform components and chipset drivers remain attractive targets for attackers.
For full technical details, see Google’s official Android security bulletin.
Who gets the update and how fast
Google says Pixel phones received the update immediately; hardware partners and third‑party manufacturers were notified in advance so they can integrate the fixes for their devices. In practice, that means non‑Pixel users may wait days or weeks for an OEM‑specific rollout. That delay is one reason device patch lag remains a persistent problem for mobile security — organizations and consumers can be protected on paper but exposed in practice until vendors push builds and carriers accept them.
If you have a Pixel and wondered why Google’s monthly fixes matter, recall the company pushed a wide‑ranging April patch to Pixels to address earlier issues and device‑specific oddities — that same fast cadence is what got this June fix out quickly for Pixels. See previous Pixel update context in our coverage of the April Pixel patch rollout: Pixel April patch and related issues.
Why this matters
An elevation‑of‑privilege bug in the Framework can be chained with other exploits to achieve persistent, full system compromise: think stolen data, microphone/camera access, or a surreptitious backdoor. Because the flaw requires no user interaction, it’s especially dangerous in targeted campaigns against high‑value individuals or organizations. Mobile‑first attackers increasingly aim at OS and driver code for maximum leverage.
Developers and enthusiasts following new Android builds should also note that platform work continues in parallel — Android 17 development and recent beta releases hint at broader OS changes that will interact with security hardening going forward. If you’re testing betas you may want to weigh that work against stability and patch timing: see more on Android 17 beta changes here: Android 17 Beta 3 features and fixes.
What you should do right now
- Check your device’s security patch level: Settings → About phone → Android version. The June fix is packaged as security patch level 2026-06-05.
- Install updates as soon as they appear for your device. If you have a Pixel, the update should already be available; for other brands, watch your OEM’s update channel.
- Keep Google Play Protect enabled and avoid sideloading apps from untrusted sources — attackers often use third‑party installers to deliver exploit chains.
- If you manage devices for an organization, prioritize patching for high‑risk users and consider temporary mitigations (threat detection, network segmentation, stricter app installation policies) while waiting on OEM builds.
Google also indicates source code patches will appear in the Android Open Source Project (AOSP) after disclosure; that helps downstream vendors and security researchers analyze fixes but doesn’t speed OTA delivery to end users.
Attackers often move faster than consumers expect. An update that takes a few minutes to apply can prevent a compromise that takes weeks to clean up — so hit update now, before curiosity becomes a problem.
