ctipilot.ch

Android Framework integer-overflow LPE (no-interaction), limited targeted exploitation; June 2026 bulletin

cve · CVE-2025-48595

Coverage timeline
1
first 2026-06-03 → last 2026-06-03
Peak priority
high
1 high
Sources cited
5
5 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-06-03CVE-2025-48595 — Android Framework: actively-exploited integer-overflow privilege escalation
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com1 (20%)
  • cisa.gov1 (20%)
  • helpnetsecurity.com1 (20%)
  • source.android.com1 (20%)
  • thehackernews.com1 (20%)

explore in graph

Entries about Android Framework integer-overflow LPE (no-interaction), limited targeted exploitation; June 2026 bulletin (1)

2026-06-03 · view entry permalink →

HIGHCVE-2025-48595exploited

CVE-2025-48595 — Android Framework: actively-exploited integer-overflow privilege escalation

Google's June 2026 Android Security Bulletin patches CVE-2025-48595, a High-severity integer overflow in the Android Framework component that Google reports is under "limited, targeted exploitation" (Android Security Bulletin, 2026-06-01). The bug gives a local attacker — typically a malicious app already on the device — privilege escalation with no user interaction and no prior privileges, reaching system-level code execution across Android 14, 15, 16 and 16-QPR2 (BleepingComputer, 2026-06-02). The "limited, targeted" descriptor and the Framework location are, in our assessment, consistent with the historical pattern of commercial-spyware operators weaponising Framework LPEs against high-value targets — but no cited source attributes this specific case; the full fix requires reaching the 2026-06-05 patch level, which also carries chipset fixes from Qualcomm, MediaTek, Imagination and Unisoc (Android Security Bulletin, 2026-06-01). Defenders managing Android fleets: push the 2026-06-05 patch level via MDM/EMM and gate non-compliant devices via Security-Patch-Level compliance policy; disable sideloading and restrict installs to managed stores; this is doubly relevant for Swiss federal device fleets given the G7 Évian travel window (§ 1).

CVE Summary Table

A third actively-exploited CVE added to KEV this window — CVE-2022-0492, a Linux cgroup-v1 release_agent container escape — is covered in full in today's deep dive (§ 5).

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2024-21182 Oracle WebLogic Server, versions 12.2.1.4.0 / 14.1.1.0.0 7.5 high yes (2026-06-01) yes — unauth T3/IIOP Oracle CPU Jul 2024 THN
CVE-2025-48595 Android Framework (14/15/16/16-QPR2) High n/a yes (2026-06-02) yes — limited, targeted 2026-06-05 patch level Android Bulletin
CVE-2022-0492 Linux kernel cgroup v1 (< 5.17) 7.0 n/a yes (2026-06-02) yes — container escape kernel 5.17+ / distro backport CISA

Google's June 2026 Android Security Bulletin patches CVE-2025-48595, a High-severity integer overflow in the Android Framework component that Google reports is under "limited, targeted exploitation" (Android Security Bulletin, 2026-06-01).

ctipilot v2 brief (migrated)
vulnerability03 Jun 05:00Zmulti-sourceOpen finding ↗