Android June 2026 Security Update: Zero-Day Fix, 124 Vulnerabilities Patched

Google's Android June 2026 security update patches 124 vulnerabilities across Android 14, 15, 16, and 16 QPR2, including one privilege-escalation flaw that is already being used in targeted attacks, according to Google's official advisory published this week. The exploited bug is CVE-2025-48595, a high-severity elevation-of-privilege flaw in Android's Framework component. The fix exists. Getting it to users is a different problem entirely.

"There are indications that CVE-2025-48595 may be under limited, targeted exploitation," Google said in its advisory. The company has not identified the attacker, the delivery method, or the targets, SecurityWeek reported this week. For Android owners on devices from Samsung, Motorola, Xiaomi, OnePlus, and other manufacturers, whether "patched" and "protected" mean the same thing depends on vendor rollout schedules that vary by device model and age.

What CVE-2025-48595 actually does

CVE-2025-48595 is not a remote-takeover bug. It requires a local attacker, meaning someone who has already established some foothold on the device. From there, exploitation could allow broader access to device resources than normally permitted, turning a limited compromise into a more capable one, CyberInsider noted this week. It is a link in an attack chain, not a standalone weapon.

That framing matters for calibrating risk. "Limited, targeted exploitation" is Google's standard language for confirmed in-the-wild use that has not spread broadly. It typically signals that the attacker has specific targets in mind rather than running a mass campaign. That does not make patching optional: bugs like this tend to migrate from targeted use to wider deployment once the details are public, and the fix is now public.

The flaw affects every currently supported Android release: versions 14, 15, 16, and 16 QPR2, per Google's bulletin. Google has not attributed the exploitation to any group commercial spyware vendor, criminal organization, or state actor CyberInsider reported. Until attribution surfaces, the specific risk to enterprise deployments and high-value targets remains an open question tied directly to who is behind it and what they are after.

The bulletin beyond the zero-day: a no-click critical flaw

The actively exploited flaw is not what Google rates as the most severe issue in this release. That distinction goes to CVE-2025-65018, a critical Framework vulnerability that could enable remote privilege escalation with no additional permissions required and no user interaction needed, per Google's advisory. No exploitation of CVE-2025-65018 has been confirmed. Its no-interaction attack profile makes it more scalable than the known zero-day, though, if someone builds a working exploit.

One caveat worth understanding: Google's severity ratings assume platform mitigations are disabled or bypassed, as they would be in a development environment or following a prior compromise, per the AOSP bulletin. On devices running current Android versions with those mitigations intact, real-world exploitability of the highest-rated flaws may be lower than the ratings suggest. Google has said as much directly: "Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform," according to BleepingComputer, which cited the company's advisory this week.

The broader bulletin covers 18 critical vulnerabilities across Framework, System, and Qualcomm closed-source components, spanning privilege escalation and denial-of-service conditions, SecurityWeek and BleepingComputer reported this week. Of the entire batch, only one flaw enables remote code execution: CVE-2026-0059, a System component bug, SecurityWeek reported. The remainder are privilege-escalation and denial-of-service issues.

Android June 2026 security update: who gets the patch and when

Google issued two patch levels with this bulletin: 2026-06-01 and 2026-06-05. The 2026-06-05 level bundles all fixes from the first batch plus patches for closed-source third-party and kernel subcomponents that do not apply to every device, per BleepingComputer and the AOSP bulletin. Either level fully addresses the actively exploited zero-day; the distinction between them matters primarily for devices with affected chipset components. Security patch levels of 2026-06-05 or later address all issues in the release, per the AOSP bulletin.

Some fixes, those bundled through Google's Project Mainline, can reach supported devices via the Play Store without a full firmware update, bypassing the standard OEM queue for certain components, per the AOSP bulletin. That narrows the exposure window somewhat for users on non-Pixel hardware, though it does not close it entirely. Mainline updates apply automatically in the background, so users who have not received the June firmware may already have coverage for some vulnerabilities without realizing it.

For the rest of the update, the timeline is the manufacturer's call. Google notifies Android hardware partners of vulnerabilities at least one month before publishing the bulletin, per the AOSP advisory, so Samsung, Motorola, Xiaomi, OnePlus, and others have had the information. Shipping it is a separate matter. Pixel devices receive patches first; availability for other vendors depends on each manufacturer's own release schedule, CyberInsider noted. Devices that are no longer receiving security updates carry the actively exploited zero-day as an unmitigated risk for as long as they remain in use, absent any out-of-band fix from the vendor.

The supply chain runs deeper than OEM scheduling alone. Components from chipmakers including Imagination Technologies, MediaTek, Qualcomm, and Unisoc remain vulnerable in some configurations, heise reported this week. That is a layer of the problem Google cannot address through its own bulletins.

It is also worth noting a shift in Google's update cadence that heise flagged this week: since July 2025, Google has been addressing only the most critical security vulnerabilities on a monthly basis, with broader updates delivered quarterly. That change affects how quickly lower-severity issues reach users, even on devices that are fully supported.

Users can check their security patch level under Settings and look for 2026-06-01 or 2026-06-05. For those on non-Pixel devices where the June firmware has not arrived, checking whether Mainline component updates have already applied through the Play Store is a reasonable first step. Enterprise and mobile device management teams will want to audit fleet patch levels, given that CVE-2025-48595 affects every supported Android version, and flag hardware that has aged out of the update cycle entirely.

What remains unknown

The missing piece is attribution. No outside party has publicly identified who is exploiting CVE-2025-48595 or against whom, CyberInsider and SecurityWeek both noted this week. Until Google or a threat intelligence firm names who is behind the activity, the bulletin tells users what to patch not who to blame. If attribution does emerge, particularly involving commercial spyware or a state-sponsored actor, the risk calculus for enterprise Android deployments could shift materially. That development matters more than anything else still pending on this bulletin.