Overview
- Google published the June 2026 Android security bulletin and two patch levels that together fix 124 vulnerabilities after releasing the patches on Monday.
- The most urgent fix is CVE-2025-48595, an integer overflow in the Android Framework that can allow local code execution and privilege escalation without user interaction.
- Devices running Android 14, 15, 16 and 16 QPR2 are affected, and Google says the flaw may have been used in limited, targeted attacks.
- Google will push the updates to Pixel phones immediately and will publish AOSP source patches within about 48 hours, while OEMs and chipset vendors will roll out vendor-specific fixes on their own schedules.
- The bulletin also patches 18 critical bugs across Framework, System and closed-source chipset components, and defenders must rely on rapid patching because Google has not released technical exploit details or public attribution; similar Framework flaws have previously been used by commercial spyware and state actors.