Google Patches Android Zero-Day and High-Severity XR Privilege Escalation Flaws
Google has issued its June 2026 Android security updates to fix 113 vulnerabilities, including 18 critical flaws and a zero-day tracked as CVE-2025-48595 that the company said may be under limited, targeted exploitation. The zero-day affects the Android Framework and stems from an integer overflow memory-management issue that can enable code execution and potentially full device compromise. The update also addresses vulnerabilities in third-party components from Qualcomm, MediaTek, and Unisoc, and Google said devices running Android 10 or later can receive relevant fixes through Google Play services, with patch levels dated 2026-06-05 or later remediating the documented issues.
Google also published its June 2026 XR Security Bulletin, disclosing a high-severity flaw, CVE-2026-0072, in InputMethodManagerService. The bug is caused by a missing permission check in addInputMethodListener and can allow local elevation of privilege without additional execution privileges or user interaction; Google said it could also permit input text to be read without permission. The XR issue is fixed with security patch level 2026-06-01 or later, while full XR protection requires the broader Android June 2026 patch level as well, underscoring the need for enterprises to accelerate deployment of both platform and device-vendor updates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Google releases June 2026 Android security update for exploited zero-day
Google released an emergency Android security update addressing CVE-2025-48595, a critical Framework integer overflow flaw that it said may be under limited, targeted exploitation. The June 2026 bulletin fixed 113 vulnerabilities in total, including 18 critical issues, and noted that patch levels dated 2026-06-05 or later remediate the documented threats.
CISA adds Linux kernel CVE-2022-0492 to KEV
CISA added CVE-2022-0492, a Linux kernel cgroups v1 privilege-escalation flaw, to its Known Exploited Vulnerabilities catalog. The agency required covered federal agencies to remediate or discontinue affected software by 2026-06-05.
CISA adds CVE-2025-48595 to KEV and orders federal remediation
CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog on 2026-06-02. The agency directed Federal Civilian Executive Branch agencies to remediate the Android flaw by 2026-06-05.
Android discloses CVE-2026-0072 in June XR Security Bulletin
Google published the June 1, 2026 XR Security Bulletin identifying CVE-2026-0072, a high-severity elevation-of-privilege flaw in the XR component that could allow input text to be read without permission. Google said devices with security patch level 2026-06-01 or later address the XR bulletin issues.
Google warns of exploited Android zero-days affecting Pixel phones
Google disclosed that two Android zero-day vulnerabilities were being exploited and warned that Pixel devices were affected, with the activity linked to forensic companies. The report described the flaws as under active exploitation in the wild.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Google Patches Actively Exploited Android Flaw Affecting Millions of Devices
securityaffairs.com
Open sourceCVE-2025-48595 Fixed In Android June 2026 Security Update
thecyberexpress.com
Open sourceВ Android исправили 124 уязвимости, включая 0-day под атаками - Хакер
xakep.ru
Open sourceCISA warns of active attacks exploiting Android, Linux bugs
bleepingcomputer.com
Open sourceAndroid Security Bulletin-June 2026 | Android Open Source Project
source.android.com
Open sourceAndroid Security Bulletin-June 2026 | Android Open Source Project
source.android.com
Open sourceCVE-2026-0072 - Android InputMethodManagerService Privilege Escalation
cvefeed.io
Open sourceGoogle Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Android Zero-Interaction DoS and Zero-Click adbd RCE Flaws
Google issued Android security updates to fix multiple high-severity flaws, including **CVE-2026-0049**, a critical Android Framework vulnerability that can trigger a local denial-of-service with no user interaction and no elevated privileges, and **CVE-2026-0073**, a critical remote code execution bug in the Android System component tied to the Android Debug Bridge Daemon (`adbd`). The `adbd` flaw affects Android 14, 15, 16, and `16-qpr2`, and under proximal or adjacent network conditions could allow shell-level remote code execution on a target device without user action. The April bulletin also addressed **CVE-2025-48651**, a high-severity StrongBox issue affecting hardware-backed key storage implementations from Google, NXP, STMicroelectronics, and Thales, with fixes split between the `2026-04-01` and `2026-04-05` patch levels. Google said the `adbd` issue is remediated by the `2026-05-01` security patch level or later and noted that, because `adbd` is delivered through Project Mainline, mitigations can reach Android 10 and later devices faster through Google Play system updates; organizations were urged to accelerate deployment of the April and May patches across managed mobile fleets.
May 25, 2026
Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 *Android Security Bulletin*, issuing fixes for **129 vulnerabilities** across the Android ecosystem and shipping two patch levels (`2026-03-01` and `2026-03-05`) to help OEMs stage platform and hardware-specific updates. The most urgent issue is **CVE-2026-21385**, a **high-severity, actively exploited** zero-day in an open-source **Qualcomm display** component used in Android devices with affected Qualcomm/Snapdragon chipsets. Reporting indicates CVE-2026-21385 is a **memory-corruption** flaw caused by an **integer overflow/wraparound** condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged **limited, targeted exploitation in the wild**, and one account attributes discovery/confirmation of exploitation to Google’s **Threat Analysis Group (TAG)**; devices not updated to at least patch level `2026-03-05` remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
Mar 21, 2026
Android December 2025 Security Update Addresses Critical DoS and Two Exploited Zero-Days
Google released the December 2025 Android Security Bulletin, patching 107 vulnerabilities, including a critical remote Denial of Service (DoS) flaw (CVE-2025-48631) in the Android Framework and two zero-day vulnerabilities (CVE-2025-48633 and CVE-2025-48572) that are reportedly under active exploitation. The zero-days allow for information disclosure and elevation of privilege, affecting Android versions 13 through 16, and are believed to be targeted in limited attacks. The DoS vulnerability enables remote attackers to crash or disable devices without requiring user interaction or additional execution privileges. The update is distributed in two patch levels (2025-12-01 and 2025-12-05), covering both core Android components and vendor-specific issues. Google’s disclosure highlights the ongoing threat posed by actively exploited vulnerabilities in the Android ecosystem and underscores the importance of timely patching by device manufacturers and users. The December update represents one of the largest patch releases of the year, following a period of irregular vulnerability reporting from Google.
Mar 21, 2026