Google on Monday released patches for 124 security vulnerabilities affecting its Android operating system through June 2026. This includes one high-severity flaw in a framework component that is being actively exploited.
This security flaw is tracked as CVE-2025-48595 (CVSS score: 8.4) and is described as a case of privilege escalation without requiring user interaction. This vulnerability affects devices running Android versions 14, 15, 16, and 16 QPR2 (Quarterly Platform Release 2).
“An integer overflow could lead to code execution in multiple locations,” according to the vulnerability description on CVE.org. “This could lead to local elevation of privilege with no additional execution privileges required. Exploitation does not require user interaction.”
Google acknowledged that there are indications that CVE-2025-48595 may be undergoing “limited and targeted exploitation.” As usual, the tech giant did not provide details about who may be behind this activity, the targets affected, or the scale of such efforts.
That said, similar flaws have been weaponized by commercial spyware vendors to target high-profile individuals as part of highly targeted attacks.
Elsewhere, a number of vulnerabilities have been fixed in system components, the most severe of which could allow local elevation of privilege without requiring additional execution privileges.
Google has released two patch sets: security patch levels 2026-06-01 and 2026-06-05. The latter includes all the fixes from the first set, plus patches for kernel and third-party chipset components from Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
Source link
