Google has released its June 2026 Android security update, addressing 124 vulnerabilities, including one actively exploited zero-day. The zero-day — CVE-2025-48595 — is an integer overflow vulnerability in the Android Framework that allows local attackers to escalate privileges on affected devices without requiring user interaction.

CVE-2025-48595 is classified as a high-severity integer overflow (CWE-190) in the Android Framework — the set of APIs and system services that applications interact with directly. An integer overflow occurs when an arithmetic operation produces a value that exceeds the maximum size of the data type used to store it, causing the value to wrap around or produce ...