Android Framework integer-overflow LPE — actively exploited (limited/targeted), June 2026 bulletin

Google's June 2026 Android Security Bulletin patches CVE-2025-48595, a High-severity integer overflow in the Android Framework component that Google reports is under "limited, targeted exploitation" (Android Security Bulletin, 2026-06-01). The bug gives a local attacker — typically a malicious app already on the device — privilege escalation with no user interaction and no prior privileges, reaching system-level code execution across Android 14, 15, 16 and 16-QPR2 (BleepingComputer, 2026-06-02). The "limited, targeted" descriptor and the Framework location are, in our assessment, consistent with the historical pattern of commercial-spyware operators weaponising Framework LPEs against high-value targets — but no cited source attributes this specific case; the full fix requires reaching the 2026-06-05 patch level, which also carries chipset fixes from Qualcomm, MediaTek, Imagination and Unisoc (Android Security Bulletin, 2026-06-01). Defenders managing Android fleets: push the 2026-06-05 patch level via MDM/EMM and gate non-compliant devices via Security-Patch-Level compliance policy; disable sideloading and restrict installs to managed stores; this is doubly relevant for Swiss federal device fleets given the G7 Évian travel window (§ 1).

CVE Summary Table

A third actively-exploited CVE added to KEV this window — CVE-2022-0492, a Linux cgroup-v1 release_agent container escape — is covered in full in today's deep dive (§ 5).