Google's June Android Update Patches a Zero-Click Privilege Escalation Flaw Under Active Exploitation

Google's June 2026 Android Security Bulletin patches CVE-2025-48595, a critical zero-click elevation-of-privilege flaw in the Android Framework that the company confirms is being exploited in targeted attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, which is as close to an official "patch immediately" directive as federal cybersecurity authorities issue.

Zero-click means no user interaction is required. An attacker does not need to trick the victim into opening a link, installing an app, or granting a permission. Combined with elevation-of-privilege — the ability to escalate to system-level access — this class of vulnerability is among the most dangerous in mobile security. The practical result is that a targeted device can be compromised without the owner taking any action that would signal an attack.

What's Affected

CVE-2025-48595 impacts devices running Android 14, 15, 16, and 16 QPR2. The June 2026 Security Bulletin, published June 1 and updated June 3, addresses 124 vulnerabilities in total across Android's Framework, System, and kernel components. Security patch level 2026-06-05 or later resolves all reported issues in this bulletin.

Users can verify their patch level by going to Settings → About Phone → Android version → Security patch level. On devices that receive monthly Android security updates directly from Google — Pixel phones and some Samsung Galaxy flagships — the update is rolling out now. Devices from other manufacturers may take several weeks longer depending on their carrier and OEM update schedules.

What CISA's KEV Listing Means

CISA's Known Exploited Vulnerabilities catalog is a mandatory remediation list for U.S. federal agencies, with binding deadlines for patching. When CISA adds a vulnerability to the KEV catalog, it means the agency has confirmed real-world exploitation — not theoretical risk — with a high enough confidence level to impose federal patching deadlines.

For civilian organizations, CISA's KEV listing is effectively a high-priority advisory: this vulnerability is being actively weaponized. Google's own disclosure language — "limited, targeted exploitation" — suggests this isn't a mass exploit campaign yet, but rather attacks likely tied to commercial spyware operators or nation-state actors who routinely acquire or discover zero-click mobile exploits for targeted surveillance.

No Workaround: Update Is the Only Fix

There is no configuration change or user-side mitigation that closes this vulnerability. The Android Framework component where the flaw resides cannot be isolated or disabled without breaking core system functionality. The only protection is applying the June 2026 security patch.

Users who cannot immediately update — because their device manufacturer hasn't shipped the patch yet — should be aware that this is an active exploitation scenario, not a theoretical future risk. Individuals who are high-value surveillance targets (journalists, executives, activists, government officials) face the greatest risk from this class of targeted zero-click exploit, as these attacks are typically expensive to deploy and are directed rather than indiscriminate.

The June bulletin also patches CVE-2026-28577, a privilege escalation flaw via tapjacking, and several other high-severity issues across the kernel and media components. Any Android device that can receive the June 2026 patch should do so as soon as it's available from the manufacturer.