Google fixes one actively exploited Android zero-day, 124 flaws

GOOGLE FIXES ONE ACTIVELY EXPLOITED ANDROID ZERO-DAY, 124 FLAWS

OverviewGoogle released the June 2026 Android security patches, addressing a total of 124 vulnerabilities. Among these, one zero-day flaw is being actively exploited in targeted attacks. The vulnerability resides in the Android Framework and is tracked as CVE-2025-48595. Indications suggest the exploitation may be limited and targeted rather than widespread, but the impact is significant: local attackers could gain code execution and escalate privileges on devices running Android 14 or newer. Google notes that newer versions of Android include defenses that make exploitation more difficult, and users are encouraged to update where possible.

Active Zero-Day in the Android Framework

Vulnerability: CVE-2025-48595, a high-severity flaw in the Android Framework.
Exploitation: The issue could allow remote escalation of privilege with no additional execution privileges required, and user interaction is not needed for exploitation.
Threat context: While details remain limited publicly, prior patterns show such flaws being used by commercial spyware operators and nation-state actors targeting high-profile individuals.
Status: The exploitation is described as potentially limited and targeted, with ongoing observations from Google and security researchers.

Patch Rollout and What Was Fixed

Patch levels: Two security patch levels were issued in June 2026 — 2026-06-01 and 2026-06-05. The second patch level bundles all fixes from the first, plus updates for closed-source third-party and kernel subcomponents that may not apply to every device.
Total fixes: 124 vulnerabilities addressed across the Android platform.
Critical fixes: Eighteen vulnerabilities classified as critical were patched across System, Framework, and Qualcomm closed-source components. These fixes cover scenarios including denial-of-service conditions and privilege escalation.
Scope of impact: While Google Pixel devices typically receive updates promptly, other hardware vendors may require additional time to test and tailor patches for their specific configurations.

Historical context and related zero-days

December fixes: CVE-2025-48633 and CVE-2025-48572 were addressed earlier this season, both flagged as under limited, targeted exploitation at the time.
March fix: CVE-2026-21385 affected a Qualcomm display component and was similarly described as under limited, targeted exploitation.
Ongoing pattern: Google has consistently marked several high-severity Android issues as actively exploited only in targeted campaigns, underscoring the ongoing risk to a subset of devices.

Security program and rewards

Vulnerability rewards program: Earlier this year, Google overhauled its Android vulnerability rewards program, offering bounties of up to $1.5 million for certain exploits.
payout dynamics: The program has also adjusted payouts for flaws that are easier to discover with automation and AI, balancing incentives to differentiate between harder, more nuanced vulnerabilities and those that can be surfaced more easily by tooling.

Additional context and related materials

Validation gap: A related guide emphasizes that automated pentesting tools are adept at answering whether an attacker can move laterally through a network, but they are not sufficient to validate whether existing controls block threats, trigger detections, or maintain secure cloud configurations. The guide outlines six surfaces that organizations should validate rather than rely solely on automated testing.
Related resources and articles: The patch cycle and vulnerability details are often accompanied by additional reports that discuss broader patch Tuesday trends, other vendors’ fixes, and ongoing exploit activity in the wild.

Key takeaways

A newly disclosed Android Framework zero-day remains the most critical concern in the June 2026 patch cycle, given its potential for remote privilege escalation without user action.
The June 2026 patches address a large number of vulnerabilities, with a focused emphasis on critical flaws that enable abuse across multiple components.
The update cadence shows Google’s commitment to rapidly releasing patches, while device manufacturers may vary in how quickly they roll updates to end users.
Past zero-days have followed a similar pattern of targeted exploitation, reinforcing the importance of timely patching and ongoing monitoring for signs of targeted campaigns.

Related and background notes

The June release consolidates fixes from two patch levels and includes updates to both open and closed-source components.
Device manufacturers, security teams, and users should prioritize devices known to have urgent risk factors and apply updates as they become available through official channels.
The vulnerability landscape continues to evolve, with high-severity issues often tied to sophisticated exploitation campaigns and partnerships between attackers, spyware operators, and other threat actors.

Related articles and further reading (highlights)

Patch Tuesday updates across major platforms
High-severity Android zero-days and exploitation patterns
Security research on framework-level vulnerabilities and privilege escalation
Enterprise defenses: validation strategies beyond automated pentesting

Validation and practical considerations

Organizations are encouraged to look beyond automated tests and validate that their controls, detections, and cloud configurations are robust against real-world exploitation vectors.
A structured approach to validation can help identify gaps that automated tools might miss, particularly in configurations and monitoring rules that affect real-time threat detection.

GOOGLE FIXES ONE ACTIVELY EXPLOITED ANDROID ZERO-DAY, 124 FLAWS

Active Zero-Day in the Android Framework

Vulnerability: CVE-2025-48595, a high-severity flaw in the Android Framework.
Exploitation: The issue could allow remote escalation of privilege with no additional execution privileges required, and user interaction is not needed for exploitation.
Threat context: While details remain limited publicly, prior patterns show such flaws being used by commercial spyware operators and nation-state actors targeting high-profile individuals.
Status: The exploitation is described as potentially limited and targeted, with ongoing observations from Google and security researchers.

Patch Rollout and What Was Fixed

Patch levels: Two security patch levels were issued in June 2026 — 2026-06-01 and 2026-06-05. The second patch level bundles all fixes from the first, plus updates for closed-source third-party and kernel subcomponents that may not apply to every device.
Total fixes: 124 vulnerabilities addressed across the Android platform.
Critical fixes: Eighteen vulnerabilities classified as critical were patched across System, Framework, and Qualcomm closed-source components. These fixes cover scenarios including denial-of-service conditions and privilege escalation.
Scope of impact: While Google Pixel devices typically receive updates promptly, other hardware vendors may require additional time to test and tailor patches for their specific configurations.

Historical context and related zero-days

December fixes: CVE-2025-48633 and CVE-2025-48572 were addressed earlier this season, both flagged as under limited, targeted exploitation at the time.
March fix: CVE-2026-21385 affected a Qualcomm display component and was similarly described as under limited, targeted exploitation.
Ongoing pattern: Google has consistently marked several high-severity Android issues as actively exploited only in targeted campaigns, underscoring the ongoing risk to a subset of devices.

Security program and rewards

Vulnerability rewards program: Earlier this year, Google overhauled its Android vulnerability rewards program, offering bounties of up to $1.5 million for certain exploits.
payout dynamics: The program has also adjusted payouts for flaws that are easier to discover with automation and AI, balancing incentives to differentiate between harder, more nuanced vulnerabilities and those that can be surfaced more easily by tooling.

Additional context and related materials

Validation gap: A related guide emphasizes that automated pentesting tools are adept at answering whether an attacker can move laterally through a network, but they are not sufficient to validate whether existing controls block threats, trigger detections, or maintain secure cloud configurations. The guide outlines six surfaces that organizations should validate rather than rely solely on automated testing.
Related resources and articles: The patch cycle and vulnerability details are often accompanied by additional reports that discuss broader patch Tuesday trends, other vendors’ fixes, and ongoing exploit activity in the wild.

Key takeaways

A newly disclosed Android Framework zero-day remains the most critical concern in the June 2026 patch cycle, given its potential for remote privilege escalation without user action.
The June 2026 patches address a large number of vulnerabilities, with a focused emphasis on critical flaws that enable abuse across multiple components.
The update cadence shows Google’s commitment to rapidly releasing patches, while device manufacturers may vary in how quickly they roll updates to end users.
Past zero-days have followed a similar pattern of targeted exploitation, reinforcing the importance of timely patching and ongoing monitoring for signs of targeted campaigns.

Related and background notes

The June release consolidates fixes from two patch levels and includes updates to both open and closed-source components.
Device manufacturers, security teams, and users should prioritize devices known to have urgent risk factors and apply updates as they become available through official channels.
The vulnerability landscape continues to evolve, with high-severity issues often tied to sophisticated exploitation campaigns and partnerships between attackers, spyware operators, and other threat actors.

Related articles and further reading (highlights)

Patch Tuesday updates across major platforms
High-severity Android zero-days and exploitation patterns
Security research on framework-level vulnerabilities and privilege escalation
Enterprise defenses: validation strategies beyond automated pentesting

Validation and practical considerations

Organizations are encouraged to look beyond automated tests and validate that their controls, detections, and cloud configurations are robust against real-world exploitation vectors.
A structured approach to validation can help identify gaps that automated tools might miss, particularly in configurations and monitoring rules that affect real-time threat detection.

Google fixes one actively exploited Android zero-day, 124 flaws

More from the Blog

Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

WordPress malware campaign hides payloads in Steam profiles

Microsoft confirms outage affecting MFA, My Sign-Ins platform

Stay Updated

Google fixes one actively exploited Android zero-day, 124 flaws

More from the Blog

Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

WordPress malware campaign hides payloads in Steam profiles

Microsoft confirms outage affecting MFA, My Sign-Ins platform

Stay Updated