Android June 2026 Patch Fixes Exploited Zero-Day
Google's June 2026 Android update patches an actively exploited privilege-escalation zero-day plus 124 flaws. Here is why to update today and how.

Google's June 2026 Android update is not a routine one. It closes a hole that attackers were already using to take over phones, and the fix is sitting in Settings waiting for you to tap Install. Do it before you finish reading, then come back for the details.
Quick answer
The June 2026 Android security update patches CVE-2025-48595, an actively exploited privilege-escalation zero-day in the Android Framework that needs no user interaction. It affects Android 14, 15, 16, and 16 QPR2, and is one of 124 vulnerabilities fixed this cycle. Update now: open Settings, then Security & privacy, then System & updates, and install the June 2026 patch level.
Key takeaways
- CVE-2025-48595 is being actively exploited, likely by spyware vendors or nation-state actors.
- It is a privilege-escalation flaw requiring no taps from the victim.
- Affected versions: Android 14, 15, 16, and 16 QPR2.
- The update fixes 124 vulnerabilities, 18 of them critical.
- Install the June 2026 patch level now; do not wait for the next monthly cycle.
What CVE-2025-48595 is
The zero-day is an elevation-of-privilege bug in the Android Framework, the core layer that apps run on top of. It stems from an integer overflow, and its most alarming trait is that it needs no user interaction. An attacker who can already run code at a low privilege level can use it to escalate their control over the device without you tapping, clicking, or approving anything.
Google described it as possibly "under limited, targeted exploitation." That phrasing is deliberate: it means confirmed targeted attacks, not yet mass exploitation. Historically that pattern points to commercial spyware vendors or state-aligned actors going after specific people such as journalists, activists, and officials rather than the general public.
That does not mean ordinary users can ignore it. Once a technique is out, it filters down to broader criminal use, and a no-interaction privilege-escalation bug is exactly the kind of building block that gets reused.

What else the update fixes
This is a large release. The June 2026 update addresses 124 vulnerabilities across two patch levels.
| Patch level | What it covers | Critical count |
|---|---|---|
| 2026-06-01 | Core Android OS: Framework and System | 18 critical |
| 2026-06-05 | Everything in 06-01 plus kernel and chipset drivers (Qualcomm, MediaTek) | Additional fixes |
The 2026-06-05 level is the more complete one because it includes the chipset-specific patches from Qualcomm and MediaTek on top of the core OS fixes. When you check your patch level, the closer you are to 2026-06-05, the better.
How to update your phone
The fix is free and takes minutes. The exact menu names vary slightly by manufacturer, but the path is consistent.
- Open Settings and tap Security & privacy (or just Security on some phones).
- Tap System & updates, then Security update or Google Play system update.
- Tap Check for updates and install anything offered.
- Reboot when prompted, then reopen the menu and confirm your security patch level reads June 2026.
If no update appears, your manufacturer may not have shipped it yet. Pixel devices get Google's patches first; other brands follow on their own schedules, which is one reason update cadence should factor into which phone you buy.
If your phone no longer gets updates
An older phone that has stopped receiving security patches cannot be protected against this bug. That is a real risk, not a theoretical one.
- Check your manufacturer's support window. If your model is past it, this zero-day and 124 other flaws stay open forever.
- Plan to replace an unsupported phone, the same logic we apply to end-of-life routers exploited by botnets.
- In the meantime, avoid sideloading apps and stick to the Play Store, since many attack chains start there. Our guide on Android banking trojans and sideloading covers that risk.
What to do right now
- Open Settings and install the June 2026 security update immediately.
- Confirm your security patch level shows June 2026 (ideally 2026-06-05).
- Turn on automatic updates so future patches install without you remembering.
- If your phone is past its support window, plan to replace it.
- Keep to the Play Store and avoid sideloaded APKs until you are patched.
Frequently asked questions
Am I likely to be targeted by this zero-day?
The confirmed exploitation is targeted, typically aimed at high-profile individuals rather than the general public. But no-interaction privilege-escalation bugs get reused by broader criminal actors over time, so everyone should patch. It costs you two minutes.
How do I know if my phone already has the fix?
Check your Android security patch level under Settings, then About phone, then Android version. If it reads June 1, 2026 or later, you have the Framework fix; June 5, 2026 also includes the chipset patches.
My phone says it is up to date but shows an older patch level. Why?
Manufacturers roll out Google's patches on their own timelines, so "up to date" means the latest your maker has released, not necessarily the newest Google patch. Pixel devices get it first; others may lag by weeks.
Does a VPN or antivirus protect me instead of updating?
No. A privilege-escalation flaw in the OS itself can only be closed by the OS patch. A VPN encrypts traffic and mobile antivirus catches some malware, but neither fixes CVE-2025-48595. Updating is the only real remedy.


