Google is patching an Android flaw that attackers are already exploiting in the wild

Google just confirmed that one Android bug in this month’s patch is already being used in attacks. The June 2026 Android Security Bulletin, published June 1, fixes 124 vulnerabilities in total, but one stands out: CVE-2025-48595, a Framework flaw the bulletin flags as under live exploitation. Eighteen of the 124 fixes are rated critical.

That single line in Google’s advisory changes the math on whether to wait. Most months you can let an OEM patch trickle down on its own schedule. This isn’t most months. When a vendor says a bug “may be under limited, targeted exploitation,” it usually means a specific actor, often a spyware vendor or a state buyer, is firing it at real phones right now.

What the zero-day actually does

CVE-2025-48595 lives in the Android Framework, the layer that sits between apps and the operating system core. Google classifies it as an elevation of privilege bug rated High. Its June bulletin states that “there are indications that CVE-2025-48595 may be under limited, targeted exploitation.”

The dangerous part is what it doesn’t need. A separate, even more severe Framework issue in the same bulletin is described by Google as “a critical security vulnerability in the Framework component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.” An elevation-of-privilege bug is the second stage of most real attacks: malware or a malicious app uses it to break out of its sandbox and gain system-level control. No tap, no phishing link, no permission prompt.

The exploited flaw affects Android 14, 15, 16, and 16-QPR2, per Google’s AOSP version table. That covers the bulk of phones in active use today. BleepingComputer and SC Media both confirmed the bulletin’s exploitation note when the update landed.

When the fix reaches your phone

Here’s the gap that decides who’s actually protected. Google splits the bulletin into two patch levels: 2026-06-01 and 2026-06-05. The June 5 level rolls up everything, including the exploited zero-day, so that’s the string to look for. Google’s own wording: “Security patch levels of 2026-06-01 or later address all of these issues.”

Pixel devices get the update the day it ships. Every other brand has to merge Google’s code, test it against their own skin, and push it out, which is where the lag lives. Samsung, Motorola, OnePlus, and the rest can run anywhere from a few days to a couple of months behind, and budget devices often wait longest. Google offers its standard caveat that “exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform,” which is real but cold comfort if you’re on a two-year-old phone that hasn’t seen the patch yet.

To check where you stand: open Settings, search for “security update,” and read the Android security patch level date. If it says June 5, 2026 or later, you’re covered. If it’s older, you’re exposed to a bug attackers are using now.

What this means for you

Patch today if you can. On a Pixel, the fix is probably already waiting in Settings, so install it and reboot. On anything else, check your security patch level and keep checking daily until it reads 2026-06-05 or newer. Don’t dismiss the update nag this month.

While you wait, shrink your attack surface. An elevation-of-privilege bug usually needs something already running on the device to chain off, so this is a bad month to sideload a sketchy APK or grant a no-name app broad permissions. Stick to apps you trust, clear out ones you don’t use, and turn on Play Protect if it’s off. If you’re a high-risk user, a journalist, an activist, an exec, “limited, targeted exploitation” is the phrase that should make you treat this as urgent rather than routine. The whole point of a targeted zero-day is that you won’t see it coming.