CVE-2025-48595: Android Framework EoP, exploited, in CISA KEV (June 5 deadline)
Contents
TL;DR
What happened Android’s June 2026 bulletin patches Framework CVE-2025-48595 across Android 14, 15, 16, and 16-qpr2. CVSS 3.1 score 8.4 HIGH (CISA-ADP assessment; NVD itself has not scored it)
Exploitation Google states there are indications of limited, targeted exploitation. CISA added it to the KEV catalog on June 2, 2026
What to do Raise your device’s Android security patch level to 2026-06-01 or later. If you also want chipset and kernel fixes, verify 2026-06-05 or later
Google published the June 2026 Android Security Bulletin, and The Hacker News reported it as 124 fixes. The bulletin as a whole includes 18 Critical issues.
The notable part this month is not the count but that Framework’s CVE-2025-48595 is listed with indications of “limited, targeted exploitation.”
It affects Android 14, 15, 16, and 16-qpr2, and is classified as local privilege escalation with no user interaction and no additional privileges required.
In CWE terms it maps to CWE-190 (integer overflow).
An integer overflow is a bug where a computed result exceeds the range a variable can hold and wraps around, becoming a smaller value than expected (a negative value if signed).
When this happens in a buffer-length or index calculation, code can write into a region smaller than the one actually allocated, or reference an unexpected offset, which can lead from memory corruption to code execution.
CVE-2025-48595 has several spots in the Framework where this calculation goes off, and that reaches local privilege escalation.
The Wireless ADB CVE-2026-0073 I wrote about in May was, on the same Android 14–16/16-qpr2, about reaching adbd from an adjacent network.
This one is a Framework-side integer overflow, and the NVD/CISA-ADP vector is AV:L as well.
It is not an internet-facing entry point but a privilege escalation that happens after something is already running on the device.
The difference between 2026-06-01 and 2026-06-05
Android’s monthly patch is, again this month, split into two levels: 2026-06-01 and 2026-06-05.
2026-06-01 is the baseline, and 2026-06-05 is its superset, so a patch level of 2026-06-05 or later is treated as including everything disclosed this round.
| Patch level | Coverage | CVE-2025-48595 | Chipset/kernel fixes |
|---|---|---|---|
| 2026-06-01 | Android platform (Framework, System) | Included | Not included |
| 2026-06-05 | All of 2026-06-01 + extra | Included | Included (kernel, Imagination, MediaTek, Qualcomm, Unisoc, etc.) |
CVE-2025-48595 is listed in the Framework table, so if a device’s patch level is 2026-06-01 or later, it satisfies the condition for fixing this CVE on its own.
But if you want to also close out the June chipset and kernel issues, you need 2026-06-05 or later.
When you mark a device as “updated for June” in device management, record not just the month name but whether the displayed value is 2026-06-01 or 2026-06-05.
CVE-2025-48595 is a high-severity privilege escalation
The description for CVE-2025-48595 is short.
There are several places where an integer overflow leads to code execution, and that reaches local privilege escalation.
The CISA-ADP CVSS 3.1 is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, giving 8.4 HIGH.
PR:N and UI:N indicate the attack requires no additional privileges and no user interaction.
On the other hand, it is AV:L, so it is treated differently from an RCE you can hit directly over the network.
Within an exploit chain, it is used as the privilege-raising stage after first obtaining on-device code execution through something like a malicious app.
Google has not disclosed who used it, against which targets, or at what scale.
This phrasing is not unusual for Android’s monthly bulletins, but once it is in the CISA KEV catalog (Known Exploited Vulnerabilities catalog, the list where the US CISA records vulnerabilities it has confirmed as actually exploited), it is treated as exploited in public information.
A KEV listing, under directive BOD 22-01, obligates the US Federal Civilian Executive Branch (FCEB) to remediate within a deadline. The binding force applies only to FCEB; the private sector and other agencies have no direct obligation, but the list is widely referenced as a priority list of vulnerabilities that are actually being exploited.
The NVD CVE page also shows the CISA KEV entry as added June 2, 2026, with a June 5, 2026 deadline, and the required action being to apply mitigations per vendor instructions or discontinue use.
The Critical ones are separate
What is classified as Critical for Framework in this bulletin is not CVE-2025-48595 but two other entries.
The privilege escalation CVE-2025-65018 (EoP, Critical) and the denial of service CVE-2025-64720 (DoS, Critical), both affecting Android 14, 15, 16, and 16-qpr2.
The one with indications of exploitation is the High-severity CVE-2025-48595.
The ones described as the most severe impact within the bulletin are the Critical Framework vulnerabilities.
For device-update priority, it is not one or the other; close them out together as the same June 2026 patch.
In environments where MDM or asset management cuts tickets per CVE, following only CVE-2025-48595 as KEV remediation will miss CVE-2025-65018.
When you review the bulletin, keep exploitation status and severity in separate columns.
The date to read on the device
What you check on the device side is the “Android security update” date.
In the GUI, it shows under Settings → Security & privacy → Security update (it may be under “System” depending on the manufacturer).
Via command, adb shell getprop ro.build.version.security_patch returns the same value.
You can use the retrieved date directly to judge the patch level.
flowchart TD
A[Check the security_patch date] --> B{2026-06-01 or later?}
B -->|Earlier| C[June set not applied<br/>wait for update or update manually]
B -->|Later| D{2026-06-05 or later?}
D -->|Earlier| E[CVE-2025-48595 fixed<br/>chipset/kernel part not applied]
D -->|Later| F[All of June applied]Pixels and some manufacturers’ devices get it sooner, but across Android as a whole, delivery timing varies by manufacturer, carrier, and region.
The day Google’s bulletin comes out and the day your device becomes updated do not match.
On development and test devices, in addition to the OS’s own security patch date, also record the Google Play system update date.
As noted in the May Wireless ADB article, since Android 10 some fixes ride on the Google Play system update side.
CVE-2025-48595 itself is a Framework-table entry, but if you are inventorying the June set, having both dates on record makes it easier to trace later.