Android SDK: 25 Vulnerabilities Disclosed, Including Actively Exploited Zero-Day
Google's June 2026 Android security update addresses 25 vulnerabilities, including a high-severity zero-day (CVE-2025-48595) reportedly under limited, targeted exploitation.
Key findings
- 25 vulnerabilities disclosed together for the Android SDK on June 1, 2026.
- CVE-2025-48595, a high-severity zero-day, is reportedly under limited, targeted exploitation.
- Multiple privilege escalation flaws (CVE-2026-28580, CVE-2026-0100, CVE-2026-0091, etc.) are present.
- Several vulnerabilities (CVE-2026-0080, CVE-2026-0052, etc.) can lead to denial of service conditions.
- Critical flaw CVE-2026-0072 involves a missing permission check in InputMethodManagerService.
- Users are urged to apply the June 2026 Android security updates promptly.
Google has released its June 2026 Android security bulletin, detailing 25 vulnerabilities affecting the Android SDK. The disclosures, clustered within a three-hour window on June 1, 2026, range in severity from Low to Critical, with a notable focus on privilege escalation flaws. Among the patched issues is CVE-2025-48595, a high-severity integer overflow vulnerability in the Android Framework that security researchers have indicated is being actively exploited in targeted attacks.
The batch of vulnerabilities encompasses a variety of attack vectors and impacts. Several high-severity flaws, including CVE-2026-28580, CVE-2026-0100, CVE-2026-0091, and CVE-2025-48595, are categorized as local privilege escalation with no additional execution privileges required. These vulnerabilities stem from issues such as incorrect bounds checks, heap buffer overflows, and over-privileged shell users, potentially allowing attackers to gain significant control over a device.
Further privilege escalation risks are present in CVE-2026-0098, which involves a confused deputy scenario leading to activity start restriction bypass, and CVE-2026-0093, a UI obfuscation flaw that could mislead users. Other privilege escalation vulnerabilities include CVE-2026-0045 (bypass of secure connection bonding), CVE-2026-0009 (tapjacking), CVE-2025-48649 (resetting user-selected permissions), and CVE-2025-32348 (background activity launch due to missing permission checks).
A critical vulnerability, CVE-2026-0072, identified in the InputMethodManagerService, involves a missing permission check that could lead to local privilege escalation. Additionally, CVE-2026-0075 points to a SQL injection vulnerability allowing access to the contacts database, and CVE-2025-22424 could enable the revelation of images across users due to improper input validation.
The batch also includes several denial-of-service (DoS) vulnerabilities. CVE-2026-0080, CVE-2026-0052, CVE-2026-0044, CVE-2026-0041, CVE-2026-0040, and CVE-2026-0039 are related to integer overflows or resource exhaustion within the ubsan_throwing_runtime.cpp component, leading to remote or local crashes and denial of service. CVE-2026-0067 and CVE-2026-0042 describe logic errors or resource exhaustion resulting in local denial of service.
CVE-2026-0050, a low-severity vulnerability, involves a permissions bypass that could lead to local information disclosure. The disclosure of these 25 vulnerabilities occurred on June 1, 2026, within a span of three hours, highlighting a coordinated disclosure event by Google.
Of particular concern is CVE-2025-48595, which has been flagged as potentially under limited, targeted exploitation. Reports from Help Net Security, BleepingComputer, and Cyber Security News indicate that this vulnerability allows local attackers to achieve code execution and escalate privileges on devices running Android 14 or later. Google's advisory notes that exploitation for many issues is made more difficult by enhancements in newer Android versions and encourages users to update to the latest available version.
While specific patch versions are not detailed for each individual CVE within the broader Android SDK, users are strongly advised to apply the June 2026 security updates as soon as possible to mitigate the risks associated with these vulnerabilities. The coordinated disclosure and the active exploitation of CVE-2025-48595 underscore the importance of timely patching for Android devices.