CVE-2025-48595 is an integer overflow in Android Framework that allows local privilege escalation, present in the Android June 2026 Security Bulletin published June 2. Google confirms the bug is under limited, targeted exploitation in the wild. CISA added it to the Known Exploited Vulnerabilities catalog the same day, with a remediation deadline of June 5 for federal civilian agencies.

What the vulnerability is

The bug lives in Android Framework and is classified as an Elevation of Privilege vulnerability. An integer overflow in the component allows a local attacker -- meaning an app or process already running on the device -- to escalate privileges beyond what it was granted. The practical outcome is that a malicious or compromised app can gain system-level access without user interaction after initial code execution.

Affected versions: Android 14, 15, 16, and 16-qpr2. Android 13 and below are not listed as affected.

Severity is rated High. The active exploitation Google notes appears to be targeted rather than opportunistic mass scanning, which is consistent with the local-only attack surface.

CISA KEV status and what it means for you

CISA's KEV entry names this "Android Framework Integer Overflow Vulnerability" and sets the federal civilian (FCEB) remediation due date as June 5, 2026.

The KEV deadline is a binding directive only for US federal civilian executive branch agencies. For everyone else, the deadline carries no legal weight. What it does signal: this is not a theoretical risk. Exploitation is confirmed, a CVE number is assigned, a patch exists, and a government agency considers it serious enough to mandate action within three days of disclosure. That is a reasonable benchmark for any organization running Android in a managed fleet.

Patch availability

Google has made the fix available for Pixel devices through the June 2026 update. Patch levels 2026-06-01 and 2026-06-05 both address CVE-2025-48595.

For non-Pixel devices, patch availability depends on the OEM. Most major manufacturers (Samsung, OnePlus, Motorola, Nokia) ship monthly security updates but on a lag of weeks to months. There is no public consolidated list of which OEMs have released the fix as of today. Check your vendor's security bulletin page directly.

What MDM administrators should do

1. Force an update check now. In Intune, push a device compliance policy requiring the June 2026 security patch level (2026-06-01 minimum). In Jamf Pro, use a smart group scoped on OS Security Patch Version to surface non-compliant Android devices. In VMware Workspace ONE, the Device Compliance report filters by security patch date.

2. Identify exposed devices. Pull a report of all Android 14, 15, and 16 devices in your fleet. Cross-reference against devices that have not checked in within the last 14 days -- those are least likely to have received the update automatically.

3. Handle devices that cannot be patched. If the OEM has not released the June patch and the device has VPN or corporate email access, consider temporary restrictions: suspend VPN profile, require app-level MFA, or move the device to a quarantine network segment until a patch ships. For BYOD devices you do not control, the least disruptive option is to block enrollment or restrict email access via conditional access policies until the device reports a compliant patch level.

4. Watch for lateral movement risk. Local privilege escalation bugs are commonly used as a second stage after initial access via phishing or malicious app install. If you run mobile EDR (Microsoft Defender for Endpoint on Android, SentinelOne, or similar), ensure telemetry collection is active and review any anomalous privilege events logged since May 2026.

Sources