Google Android and Linux Kernel: 50 Vulnerabilities Disclosed in Two Batches
Key findings • Google disclosed 25 Android SDK vulnerabilities on June 1, 2026, including multiple privilege escalation flaws. • A separate batch of 25 Linux kernel vulnerabilities was disclo…
Key findings
- Google disclosed 25 Android SDK vulnerabilities on June 1, 2026, including multiple privilege escalation flaws.
- A separate batch of 25 Linux kernel vulnerabilities was disclosed on June 3, 2026, affecting diverse subsystems.
- Android vulnerabilities include heap overflows, confused deputy flaws, and tapjacking issues.
- Linux kernel issues range from race conditions and NULL pointer dereferences to out-of-bounds access.
- One report mentioned limited, targeted exploitation of an Android zero-day within the June 1st batch.
- No immediate reports of active exploitation for the Linux kernel vulnerabilities were noted.
In a coordinated disclosure event spanning June 1st and June 3rd, 2026, Google addressed a substantial number of vulnerabilities affecting both its Android operating system and the Linux kernel. The first batch, disclosed on June 1st, comprised 25 vulnerabilities within the Android SDK, ranging from low to high severity, with several enabling privilege escalation. The second batch, revealed on June 3rd, detailed 25 vulnerabilities impacting the Linux kernel, affecting diverse subsystems including drivers, networking, and core kernel functions.
The Android SDK vulnerabilities, detailed in advisories published on June 1st, include a variety of issues. Several high-severity flaws, such as CVE-2026-0097 and CVE-2026-0095, allow for privilege escalation. CVE-2026-0097, a remote privilege escalation flaw, can be exploited via Bluetooth LE pairing bypass. CVE-2026-0095 involves controlled heap corruption within the privileged Bluetooth process due to an integer overflow. Other privilege escalation vectors include confused deputy flaws (CVE-2026-0098), heap buffer overflows (CVE-2026-0100), and improper input validation leading to persistence desync (CVE-2026-28580).
Further Android vulnerabilities include issues like tapjacking/overlay attacks enabling privilege escalation (CVE-2026-28577), logic errors allowing activity launches from the background (CVE-2026-0099), and the ability to install unverified apps due to missing permission checks (CVE-2026-0089). Some vulnerabilities, like CVE-2026-28581, could lead to making emergency calls due to logic errors, while CVE-2026-28578 could result in denial of service conditions. Notably, one report indicated limited, targeted exploitation of a zero-day vulnerability within this batch, though specific CVEs were not immediately linked.
The Linux kernel vulnerabilities, disclosed on June 3rd, span a wide range of subsystems. Issues include race conditions, NULL pointer dereferences, and out-of-bounds access. Specific drivers affected include ibmveth, which has a vulnerability related to disabling GSO for packets with small MSS (CVE-2026-46273), and ath12k, with a fix for WoW offloads on primary links in multi-link connections (CVE-2026-46271). Networking flaws are also present, such as an out-of-bound read in IPv6 routing (CVE-2026-46260) and a fix for potential recursion into NFS via nfs_writepages in LOCALIO (CVE-2026-46256).
Other Linux kernel vulnerabilities address stability and correctness issues across various components. For instance, CVE-2026-46272 fixes a race condition in the Coresight ETM driver, while CVE-2026-46265 addresses a WQ_MEM_RECLAIM warning in RDMA/hns. SPI drivers are affected by a potential NULL pointer dereference in wpcm-fiu (CVE-2026-46261), and btrfs has a fix for block_group_tree dirty_list corruption (CVE-2026-46251). Several vulnerabilities stem from missing NULL checks for memory allocation functions, such as in PCI endpoint drivers (CVE-2025-71313).
While no immediate reports of active exploitation in the wild were noted for the Linux kernel batch, users are strongly advised to apply the relevant security updates for both Android and the Linux kernel as soon as they become available. The coordinated nature of these disclosures suggests a proactive approach by Google to address potential security risks across its product ecosystem.
These disclosures underscore the ongoing need for diligent security patching and awareness. The breadth of affected components, from user-space Android services to low-level kernel drivers, highlights the complexity of modern software systems and the continuous effort required to maintain their security.