Overview
- Google released its June 2026 Android security bulletin on Monday, June 1, providing two patch levels (2026-06-01 and 2026-06-05) that together address 124 vulnerabilities.
- The bulletin includes CVE-2025-48595, an integer overflow in the Android Framework that allows local privilege escalation without user interaction and affects Android 14, 15, 16 and 16‑QPR2.
- Pixel phones are receiving the updates immediately while other manufacturers must test and adapt fixes for closed‑source chipset and kernel components before staged rollouts reach their users.
- Google warned CVE-2025-48595 may be under limited, targeted exploitation and has not published technical details, with past similar bugs often used by commercial spyware vendors or state actors.
- Users should install updates as soon as their device receives them because Android’s fragmented ecosystem can leave many phones exposed for weeks while vendors and AOSP integrate and publish component patches.