CISA Adds Android CVE-2025-48595 to KEV, Orders Fixes by June 5

3 articles · Updated · The Hacker News · Jun 3

June 2 brought CVE-2025-48595 into CISA’s Known Exploited Vulnerabilities catalog, giving U.S. federal civilian agencies until June 5 to remediate the Android flaw.
Google had patched the bug a day earlier in its June 2026 Android update, part of 124 fixes, after saying the Framework vulnerability was under limited, targeted exploitation.
The flaw carries a CVSS score of 8.4 and affects Android 14, 15, 16 and 16 QPR2, enabling local privilege escalation through an integer overflow without user interaction.
Google issued 2026-06-01 and 2026-06-05 patch levels, with the later release also covering kernel and third-party chipset components from MediaTek, Qualcomm, Unisoc and Imagination Technologies.
Google did not identify attackers or victims, but similar Android privilege-escalation bugs have been used in highly targeted spyware campaigns against high-profile individuals.